| 2026-06-16 | Cross-site scripting via <NoScript> slot content in Nuxt’s head components Impact
Nuxt’s globally registered <NoScript> component (from @unhead/vue head components, re-exported by Nuxt) wrote its default-slot content to the innerHTML of the <noscript> head tag, bypassing the HTML escaping that {{ }} interpolation normally applies in Vue templates.
Applications that placed untrusted, attacker-controllable data inside a <NoScript> slot, for example:
<NoScript>{{ route.query.banner }}</NoScript>
would emit that value unescaped inside <noscript> in the server…
Component: nuxt | Low | >= 4.0.0, < 4.4.7; < 3.21.7 | 3.21.7, 4.4.7 | Advisory |
| 2026-06-16 | Nuxt dev server vite-node IPC socket is world-connectable on Linux Impact
When running nuxt dev on Linux (Node.js 20+, outside Docker / StackBlitz), Nuxt’s internal vite-node IPC server binds to a Linux abstract-namespace Unix socket (\0nuxt-vite-node-<pid>-<ts>.sock). Abstract sockets have no filesystem inode and therefore no permission bits: any local UID on the host that can read /proc/net/unix can enumerate the socket and connect to it.
The IPC server does not perform any peer-credential or shared-secret check before dispatching requests. The module request type…
Component: nuxt | Medium | >= 4.0.0, < 4.4.7; >= 3.18.0, < 3.21.7 | 3.21.7, 4.4.7 | Advisory |
| 2026-06-16 | Nuxt: Reflected XSS in <NuxtLink> via unsanitised javascript: or data: URL Summary
<NuxtLink> did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying <a> element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to <NuxtLink :to> or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt appli…
Component: nuxt | Medium | >= 4.0.0, < 4.4.7; < 3.21.7 | 3.21.7, 4.4.7 | CVE-2026-53722 |
| 2026-06-16 | Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher Impact
Nuxt looks up routeRules for the current navigation by calling
getRouteRules({ path: to.path }) from the page-router plugin and the
no-pages router plugin. The compiled routeRules matcher (built on
rou3) performs case-sensitive matching, while vue-router is configured
with its default sensitive: false and matches paths case-insensitively.
The two routers therefore disagree on which rules apply to a given
request path: vue-router still matches the page record for
/Admin/dashboard, but the `r…
Component: nuxt | High | >= 4.0.0, < 4.4.7; >= 3.11.0, < 3.21.7 | 3.21.7, 4.4.7 | CVE-2026-53721 |
| 2026-06-16 | Nuxt: URL-handling weaknesses in navigateTo and reloadNuxtApp: SSR open redirect, client-side script execution via the open option, and protocol-relative bypass in reloadNuxtApp Summary
Three weaknesses in Nuxt’s client-navigation URL handling, all reachable
from documented public APIs (navigateTo and reloadNuxtApp):
- SSR open redirect in
navigateTo via path-normalisation bypass.
navigateTo decided whether a target was external by inspecting the raw
input with hasProtocol(..., { acceptRelative: true }). Inputs such as
/..//evil.com, /.//evil.com, /%2e%2e//evil.com, or
/app/..//evil.com slipped past that check because they start with
/, but WH…
Component: nuxt | Medium | >= 4.0.0, < 4.4.7; < 3.21.7 | 3.21.7, 4.4.7 | Advisory |
| 2026-06-15 | Nuxt: Dev server discloses project absolute path and persistent workspace UUID via /.well-known/appspecific/com.chrome.devtools.json Summary
When running nuxt dev, Nuxt registers an unauthenticated route at /.well-known/appspecific/com.chrome.devtools.json that returns the absolute filesystem path of the project root and a per-project UUID persisted to node_modules/.cache/nuxt/chrome-workspace.json. The route is enabled by default via experimental.chromeDevtoolsProjectSettings: true.
The endpoint exists to let Chrome DevTools’ Workspace integration map sources to the developer’s local checkout. The handler is registered directly o…
Component: nuxt | Low | >= 4.0.0-alpha.1, < 4.4.7 | 4.4.7 | Advisory |
| 2026-05-29 | Nuxt’s route middleware is not enforced when rendering .server.vue pages via /__nuxt_island/page_* Summary
When experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run.
For Nuxt applicati…
Component: nuxt | Medium | >= 3.11.0, <= 3.21.5; >= 4.0.0-alpha.1, <= 4.4.5 | 3.21.6, 4.4.6 | CVE-2026-47200 |
| 2026-05-19 | Nuxt: __nuxt_island endpoint does not bind responses to request props, enabling shared-cache poisoning Summary
The /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query.
Island components are documented as rendering independently of route context - page middleware…
Component: nuxt | Low | >= 3.1.0, <= 3.21.5; >= 4.0.0-alpha.1, <= 4.4.5 | 3.21.6, 4.4.6 | CVE-2026-46342 |
| 2026-05-19 | Nuxt: Reflected XSS in navigateTo() external redirect Summary
navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application’s origin.
This is a different root cause from CVE-2024-34343 (GHS…
Component: nuxt | Medium | >= 3.4.3, <= 3.21.5; >= 4.0.0-alpha.1, <= 4.4.5 | 3.21.6, 4.4.6 | CVE-2026-45669 |
| 2025-09-17 | Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival Summary
A client-side path traversal vulnerability in Nuxt’s Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met.
Technical Details
The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. The issue affects the following flow:
- Du…
Component: nuxt | Low | >= 3.6.0, < 3.19.0; >= 4.0.0, < 4.1.0 | 3.19.0, 4.1.0 | CVE-2025-59414 |
| 2025-03-19 | Nuxt allows DOS via cache poisoning with payload rendering response Summary
By sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site.
It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site.
Impact
An attacker can perform this attack…
Component: nuxt | High | >= 3.0.0, < 3.16.0 | 3.16.0 | CVE-2025-27415 |
| 2024-08-05 | nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR Summary
The navigateTo function attempts to blockthe javascript: protocol, but does not correctly use API’s provided by unjs/ufo. This library also contains parsing discrepancies.
Details
The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and retu…
Component: nuxt | Medium | < 3.12.4 | 3.12.4 | CVE-2024-34343 |
| 2024-08-05 | Nuxt vulnerable to remote code execution via the browser when running the test locally Summary
Due to the insufficient validation of the path parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands.
Details
While running the test, a special component named NuxtTestComponentWrapper is available.
https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/nuxt-root.vue#L42-L43
This component loads the specified path as a component and renders…
Component: nuxt | Critical | >= 3.4.0, < 3.12.4 | 3.12.4 | CVE-2024-34344 |
| 2023-06-13 | nuxt Code Injection vulnerability he Nuxt dev server between versions 3.4.0 and 3.4.3 is vulnerable to code injection when it is exposed publicly.
Component: nuxt | Critical | >= 3.4.0, < 3.4.3 | 3.4.3 | CVE-2023-3224 |
