Nuxt 3.17.2 introduces incremental improvements over the previous stable version, 3.17.1, primarily focusing on dependency updates and internal refinements to enhance stability and performance. Developers updating to 3.17.2 will benefit from updated versions of several core dependencies. Notably, oxc-parser is updated from 0.67.0 to 0.68.1, potentially bringing parser improvements and bug fixes. vite, the build tool, sees an upgrade from 6.3.3 to 6.3.4, which might include performance enhancements and new features. @nuxt/kit and @nuxt/schema are also updated to version 3.17.2, aligning with the core Nuxt version and ensuring consistency across the framework.
The update also addresses underlying library improvements, evident in the slight increase in unpacked size from 825910 to 828528, suggesting added features or code optimizations. While the majority of dependencies remain consistent, these targeted updates are crucial for developers aiming to leverage the latest capabilities and security patches. While seemingly minor, such incremental releases are vital for maintaining a healthy and robust ecosystem, ensuring Nuxt applications remain performant and reliable. These fine-grained version bumps often incorporate vital bug fixes or performance improvements, making them noteworthy for developers focused on application refinement. It ensures developers are working with the most current and optimized version of the framework.
All the vulnerabilities related to the version 3.17.2 of the package
Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival
A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met.
The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. The issue affects the following flow:
__nuxt_island objectdevalue.stringify and stored in the prerendered pagedevalue.parse deserializes the payload/__nuxt_island/${key}.json where key could contain path traversal sequencesThis vulnerability requires all of the following conditions:
nitro.prerender)useFetch, useAsyncData, or similar composables// Malicious API response during prerendering
{
"__nuxt_island": {
"key": "../../../../internal/service",
"params": { "action": "probe" }
}
}
This could cause the client to make requests to /__nuxt_island/../../../../internal/service.json if path traversal is not properly handled by the server.
Action Required:
Temporary Workarounds (if immediate update is not possible):
The fix implemented validation for Island keys in revive-payload.server.ts:
/^[a-z][a-z\d-]*_[a-z\d]+$/i