Nuxt
Monthly
Reflected DOM-based XSS in Nuxt's built-in <NuxtLink> component allows an unauthenticated attacker to inject script-capable URLs (javascript:, vbscript:) that execute in the application's origin when a victim clicks a crafted link, affecting all Nuxt v3 versions prior to 3.21.7 and v4 versions prior to 4.4.7. Exploitation is contingent on application code that binds attacker-controlled input - such as query parameters, CMS link fields, or user-supplied profile URLs - directly to the component's to or href props without prior sanitization. No public exploit code has been identified and the EPSS score of 0.06% (20th percentile) indicates low observed exploitation probability; vendor-released patches are available in versions 3.21.7 and 4.4.7.
Route-rule middleware bypass in Nuxt 3.11.0-3.21.6 and 4.0.0-4.4.6 allows remote attackers to evade routeRules-defined protections (authentication, redirects, headers, prerender/SSR controls) by simply varying URL case, because vue-router matches paths case-insensitively while the routeRules matcher matched case-sensitively. The fix in 3.21.7 and 4.4.7 lowercases the path before matching. EPSS is 0.02% and no public exploit is identified at time of analysis, but the underlying class is trivially abused once an asymmetric rule is known.
Source code exfiltration in Nuxt's @nuxt/webpack-builder and @nuxt/rspack-builder (versions 3.15.4-3.21.6 and 4.0.0-alpha.1-4.4.6) enables a LAN-adjacent attacker to read a developer's full application source from the webpack dev server when it is bound to a non-loopback address via `nuxt dev --host`. This is a second incomplete fix in a chain stemming from GHSA-4gf7-ff8x-hq99: the previous patch (GHSA-6m52-m754-pw2g) relied on Sec-Fetch-* metadata headers that browsers silently omit for non-trustworthy (plain HTTP) origins, leaving a bypass when an attacker page strips all three identifying headers (Sec-Fetch-Site, Origin, Referer) simultaneously. A proof-of-concept JavaScript payload is documented in the GHSA advisory; EPSS is very low at 0.02% (7th percentile) and no CISA KEV entry exists, reflecting the narrow exploitation conditions required.
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1
Nuxt is an open-source web development framework for Vue.js. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Nuxt is an open-source web development framework for Vue.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Reflected DOM-based XSS in Nuxt's built-in <NuxtLink> component allows an unauthenticated attacker to inject script-capable URLs (javascript:, vbscript:) that execute in the application's origin when a victim clicks a crafted link, affecting all Nuxt v3 versions prior to 3.21.7 and v4 versions prior to 4.4.7. Exploitation is contingent on application code that binds attacker-controlled input - such as query parameters, CMS link fields, or user-supplied profile URLs - directly to the component's to or href props without prior sanitization. No public exploit code has been identified and the EPSS score of 0.06% (20th percentile) indicates low observed exploitation probability; vendor-released patches are available in versions 3.21.7 and 4.4.7.
Route-rule middleware bypass in Nuxt 3.11.0-3.21.6 and 4.0.0-4.4.6 allows remote attackers to evade routeRules-defined protections (authentication, redirects, headers, prerender/SSR controls) by simply varying URL case, because vue-router matches paths case-insensitively while the routeRules matcher matched case-sensitively. The fix in 3.21.7 and 4.4.7 lowercases the path before matching. EPSS is 0.02% and no public exploit is identified at time of analysis, but the underlying class is trivially abused once an asymmetric rule is known.
Source code exfiltration in Nuxt's @nuxt/webpack-builder and @nuxt/rspack-builder (versions 3.15.4-3.21.6 and 4.0.0-alpha.1-4.4.6) enables a LAN-adjacent attacker to read a developer's full application source from the webpack dev server when it is bound to a non-loopback address via `nuxt dev --host`. This is a second incomplete fix in a chain stemming from GHSA-4gf7-ff8x-hq99: the previous patch (GHSA-6m52-m754-pw2g) relied on Sec-Fetch-* metadata headers that browsers silently omit for non-trustworthy (plain HTTP) origins, leaving a bypass when an attacker page strips all three identifying headers (Sec-Fetch-Site, Origin, Referer) simultaneously. A proof-of-concept JavaScript payload is documented in the GHSA advisory; EPSS is very low at 0.02% (7th percentile) and no CISA KEV entry exists, reflecting the narrow exploitation conditions required.
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1
Nuxt is an open-source web development framework for Vue.js. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Nuxt is an open-source web development framework for Vue.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.