Skip to main content

Nuxt CVE-2026-45669

| EUVDEUVD-2026-36420 MEDIUM
Improper Neutralization of Script in Attributes in a Web Page (CWE-83)
2026-05-19 https://github.com/nuxt/nuxt GHSA-fx6j-w5w5-h468
5.3
CVSS 4.0 · Vendor: https://github.com/nuxt/nuxt
Share

Severity by source

Vendor (https://github.com/nuxt/nuxt) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/nuxt/nuxt) · only source for this CVE.

CVSS VectorVendor: https://github.com/nuxt/nuxt

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 12, 2026 - 14:22 NVD
5.3 (MEDIUM)
Source Code Evidence Fetched
May 19, 2026 - 16:35 vuln.today
Analysis Generated
May 19, 2026 - 16:35 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on nuxt (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.4.3.

DescriptionCVE.org

Summary

navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin.

This is a different root cause from CVE-2024-34343 (GHSA-vf6r-87q4-2vjf), which addressed javascript: protocol bypass. The issue here is triggered by any valid URL containing >.

Impact

Applications that pass user-controlled input to navigateTo(url, { external: true }) - typically via a ?next= / ?redirect= query parameter used for post-login or "return to" flows - are vulnerable to reflected cross-site scripting. The injected script runs in the context of the application's origin during the server-rendered redirect response, before the meta-refresh fires.

Details

In packages/nuxt/src/app/composables/router.ts, the SSR redirect path builds an HTML response body with only " percent-encoded in the destination URL:

ts
const encodedLoc = location.replace(/"/g, '%22')
nuxtApp.ssrContext!['~renderResponse'] = {
status: sanitizeStatusCode(options?.redirectCode || 302, 302),
body: `<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=${encodedLoc}"></head></html>`,
headers: { location: encodeURL(location, isExternalHost) },
}

The Location header is normalised through encodeURL() (which uses the URL constructor and correctly percent-encodes attribute-significant characters). The HTML body uses a narrower sanitiser. That mismatch is the root cause.

Proof of concept

Global middleware that forwards a query parameter to navigateTo:

ts
// middleware/redirect.global.ts
export default defineNuxtRouteMiddleware((to) => {
const next = to.query.next as string | undefined
if (next) {
 return navigateTo(next, { external: true })
}
})

Request:

GET /?next=https://evil.example/x><img src=x onerror=alert(document.domain)>

Response body:

html
<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=https://evil.example/x><img src=x onerror=alert(document.domain)>"></head></html>

The > after evil.example/x terminates the content="…" attribute, and the <img onerror> tag executes JavaScript in the application's origin before any redirect occurs.

Patches

Fixed in nuxt@4.4.6 and nuxt@3.21.6 by #35052. The fix percent-encodes the full set of HTML-attribute-significant characters (&, ", ', <, >) before interpolating the URL into the meta-refresh body

Workarounds

If you can't upgrade immediately, validate user-controlled URLs before passing them to navigateTo(url, { external: true }). At minimum, normalise through new URL(input).toString() and reject inputs containing < or > (a normalised URL with these characters is malformed and safe to refuse).

AnalysisAI

Reflected XSS in Nuxt's navigateTo() function allows remote attackers to inject and execute arbitrary JavaScript in the application's origin during server-side rendering. Applications passing user-controlled input to navigateTo(url, { external: true }) - the common post-login ?next= or ?redirect= redirect pattern - are affected across nuxt versions 3.4.3-3.21.5 and 4.0.0-alpha.1-4.4.5. A full proof-of-concept is published in the GitHub Security Advisory GHSA-fx6j-w5w5-h468; no public exploit identified at time of analysis beyond that PoC, and this CVE does not appear in CISA KEV.

Technical ContextAI

The vulnerability resides in packages/nuxt/src/app/composables/router.ts within the Nuxt.js SSR framework (pkg:npm/nuxt). When navigateTo() is called with external: true during server-side rendering, Nuxt constructs an HTML redirect response body embedding the destination URL in a <meta http-equiv="refresh" content="0; url=..."> tag. Prior to the fix, only the double-quote character was encoded ("%22), while HTML-attribute-significant characters <, >, &, and ' were passed through unencoded. This contrasts with the Location HTTP header path, which correctly routes through encodeURL() backed by the browser URL constructor and fully percent-encodes these characters. CWE-83 (Improper Neutralization of Script in Attributes in a Web Page) describes this root cause precisely: insufficient output encoding when interpolating untrusted data into an HTML attribute context, enabling attribute boundary breakout. This is a distinct root cause from CVE-2024-34343 (GHSA-vf6r-87q4-2vjf), which blocked javascript: protocol injection but left the HTML encoding gap unaddressed.

RemediationAI

Upgrade to nuxt 3.21.6 (v3 branch) or nuxt 4.4.6 (v4 branch), which resolve this issue by replacing the narrow double-quote-only encoder with a full HTML-attribute encoder covering &, ", ', <, and > - implemented via pull request https://github.com/nuxt/nuxt/pull/35052. If immediate upgrade is not possible, add application-level input validation before any call to navigateTo(url, { external: true }): normalize the input through new URL(input).toString() and reject any value whose normalized form still contains < or >, as a correctly normalized URL never contains these characters raw. This workaround requires modifying every call site that accepts user-controlled redirect targets and may reject unusual but technically valid URLs that contain these characters in fragments - a trade-off that is acceptable given the security benefit. CSP alone is not a reliable compensating control because it cannot universally block inline script execution injected via attribute breakout across all browser versions and configurations.

Share

CVE-2026-45669 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy