Version Details and Security Vulnerabilities

📦

nuxt

3.17.1

Comparision Betweeen 3.17.1 and 3.17.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

265

Unpacked Size

806.55 KB

806.08 KB

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

nuxt

3.17.1

Comparision Betweeen 3.17.1 and 3.17.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

265

Unpacked Size

806.55 KB

806.08 KB

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 3.17.1 of the package nuxt.

All Security Vulnerabilities

All the vulnerabilities related to the version 3.17.1 of the package

Summary:

Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival

Details:

Summary

A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met.

Technical Details

The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. The issue affects the following flow:

During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object
This data gets serialized with devalue.stringify and stored in the prerendered page
When a client navigates to the prerendered page, devalue.parse deserializes the payload
The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences

Prerequisites for Exploitation

This vulnerability requires all of the following conditions:

Prerendered pages: The application must use Nuxt's prerendering feature (nitro.prerender)
Attacker-controlled API responses: The attacker must be able to control the response content of an API endpoint that is called during prerendering via useFetch, useAsyncData, or similar composables
Client-side navigation: A user must navigate to the prerendered page (not during initial SSR hydration)

Attack Scenario

// Malicious API response during prerendering
{
  "__nuxt_island": {
    "key": "../../../../internal/service",
    "params": { "action": "probe" }
  }
}

This could cause the client to make requests to /__nuxt_island/../../../../internal/service.json if path traversal is not properly handled by the server.

Impact Assessment

Limited Impact: The vulnerability has a low severity due to the highly specific prerequisites
No Direct Data Exfiltration: The vulnerability does not directly expose sensitive data
Client-Side Only: Requests originate from the client, not the server

Mitigation

Action Required:

Update to Nuxt 3.19.0+ or 4.1.0+ immediately
Review any prerendered pages that fetch external or user-controlled data

Temporary Workarounds (if immediate update is not possible):

Disable prerendering for pages that fetch user-controlled data
Implement strict input validation on API endpoints used during prerendering
Use allowlists for API response structures during prerendering

Fix Details

The fix implemented validation for Island keys in revive-payload.server.ts:

Island keys must match the pattern /^[a-z][a-z\d-]*_[a-z\d]+$/i
Maximum length of 100 characters
Prevents path traversal and special characters

Details about nuxt@3.17.1

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 3.17.1 of the package nuxt.

All Security Vulnerabilities

All the vulnerabilities related to the version 3.17.1 of the package

Summary:

Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival

Details:

Summary

Technical Details

During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object
This data gets serialized with devalue.stringify and stored in the prerendered page
When a client navigates to the prerendered page, devalue.parse deserializes the payload
The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences

Prerequisites for Exploitation

This vulnerability requires all of the following conditions:

Prerendered pages: The application must use Nuxt's prerendering feature (nitro.prerender)
Attacker-controlled API responses: The attacker must be able to control the response content of an API endpoint that is called during prerendering via useFetch, useAsyncData, or similar composables
Client-side navigation: A user must navigate to the prerendered page (not during initial SSR hydration)

Attack Scenario

// Malicious API response during prerendering
{
  "__nuxt_island": {
    "key": "../../../../internal/service",
    "params": { "action": "probe" }
  }
}

This could cause the client to make requests to /__nuxt_island/../../../../internal/service.json if path traversal is not properly handled by the server.

Impact Assessment

Limited Impact: The vulnerability has a low severity due to the highly specific prerequisites
No Direct Data Exfiltration: The vulnerability does not directly expose sensitive data
Client-Side Only: Requests originate from the client, not the server

Mitigation

Action Required:

Update to Nuxt 3.19.0+ or 4.1.0+ immediately
Review any prerendered pages that fetch external or user-controlled data

Temporary Workarounds (if immediate update is not possible):

Disable prerendering for pages that fetch user-controlled data
Implement strict input validation on API endpoints used during prerendering
Use allowlists for API response structures during prerendering

Fix Details

The fix implemented validation for Island keys in revive-payload.server.ts:

Island keys must match the pattern /^[a-z][a-z\d-]*_[a-z\d]+$/i
Maximum length of 100 characters
Prevents path traversal and special characters

Details about nuxt@3.17.1

Version Details and Security Vulnerabilities

nuxt

Comparision Betweeen 3.17.1 and 3.17.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

nuxt

Comparision Betweeen 3.17.1 and 3.17.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Technical Details

Prerequisites for Exploitation

Attack Scenario

Impact Assessment

Mitigation

Fix Details

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Technical Details

Prerequisites for Exploitation

Attack Scenario

Impact Assessment

Mitigation

Fix Details

Version Details and Security Vulnerabilities

nuxt

Comparision Betweeen 3.17.1 and 3.17.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

nuxt

Comparision Betweeen 3.17.1 and 3.17.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

nuxt@3.17.1 GHSA-p6jq-8vc4-79f6 3.1

Summary

Technical Details

Prerequisites for Exploitation

Attack Scenario

Impact Assessment

Mitigation

Fix Details

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

nuxt@3.17.1 GHSA-p6jq-8vc4-79f6 3.1

Summary

Technical Details

Prerequisites for Exploitation

Attack Scenario

Impact Assessment

Mitigation

Fix Details