Skip to main content

Og Image EUVDEUVD-2026-17668

| CVE-2026-34404 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-03-31 GitHub_M GHSA-c7xp-q6q8-hg76
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 21:46 euvd
EUVD-2026-17668
Analysis Generated
Mar 31, 2026 - 21:46 vuln.today
CVE Published
Mar 31, 2026 - 21:16 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a Denial of Service (DoS) vulnerability. The issue arises because there is no restriction on the width and height parameters of the generated image. The vulnerability was reproduced using the standard configuration and the default templates. This issue has been patched in version 6.2.5.

AnalysisAI

Nuxt OG Image versions prior to 6.2.5 are vulnerable to denial of service through unbounded image dimension parameters in the /_og/d/ endpoint. Attackers can specify arbitrarily large width and height values, causing the image-generation component to consume excessive CPU and memory resources, resulting in application unavailability. No authentication is required to exploit this vulnerability.

Technical ContextAI

Nuxt OG Image is a Vue template-based image generation library for Nuxt applications. The vulnerability exists in the image-generation endpoint (/_og/d/ in newer versions, /og-image/ in older versions) which processes user-supplied width and height parameters without validation or bounds checking. The root cause falls under CWE-400 (Uncontrolled Resource Consumption), a class of vulnerabilities where lack of input validation on dimensional parameters allows attackers to trigger resource-exhaustion conditions. The affected product is identified by CPE cpe:2.3:a:nuxt-modules:og-image:*:*:*:*:*:*:*:* (all versions prior to 6.2.5).

RemediationAI

Vendor-released patch: upgrade to Nuxt OG Image version 6.2.5 or later. This version includes input validation to restrict width and height parameters to reasonable bounds, preventing unbounded resource consumption. Apply this patch immediately to all production deployments. Users should verify the upgrade by testing the /_og/d/ endpoint with normal-sized image requests to confirm functionality is restored. Consult the official GitHub Security Advisory (https://github.com/nuxt-modules/og-image/security/advisories/GHSA-c7xp-q6q8-hg76) for additional context and upgrade instructions.

Share

EUVD-2026-17668 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy