---
title: "4 Nuxt CVEs: what Netlify users need to know"
description: "Four Nuxt CVEs disclosed, including an auth middleware bypass. Two vulnerabilities have limited or no Netlify impact. Upgrade to nuxt 3.21.6 or 4.4.6."
source: "https://www.netlify.com/changelog/2026-05-19-nuxt-security-vulnerabilities/"
last_updated: "2026-07-01T19:20:01.000Z"
---
The Nuxt team has disclosed four security vulnerabilities. Here’s what Netlify customers need to know.

## Vulnerabilities

-   [**CVE-2026-47200**](https://github.com/nuxt/nuxt/security/advisories/GHSA-hg3f-28rg-4jxj): Route middleware bypass via island page endpoints (nuxt 3.11.0–3.21.5, 4.0.0-alpha.1–4.4.5)
-   [**CVE-2026-46342**](https://github.com/nuxt/nuxt/security/advisories/GHSA-g8wj-3cr3-6w7v): Island response not validated against request props (nuxt 3.1.0–3.21.5, 4.0.0-alpha.1–4.4.5)
-   [**CVE-2026-45670**](https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g): Dev server exposes built source over LAN (nuxt 3.15.4–3.21.5, 4.0.0-alpha.1–4.4.5)
-   [**CVE-2026-45669**](https://github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468): Reflected XSS via `navigateTo` with `external: true` (nuxt 3.4.3–3.21.5, 4.0.0-alpha.1–4.4.5)

## Impact on Netlify

### CVE-2026-47200 (route middleware bypass)

When component islands are enabled — the default in Nuxt 4, and available via an opt-in flag in Nuxt 3 — `.server.vue` page files are accessible via `/__nuxt_island/page_*` endpoints that render pages without invoking Vue Router, bypassing route middleware entirely. An unauthenticated attacker can request these endpoints directly to access pages that rely solely on middleware for access control.

**Regardless of hosting provider, all affected Nuxt apps using `.server.vue` pages with route-middleware-only authentication are vulnerable.**

### CVE-2026-46342 (island cache poisoning)

The `/__nuxt_island/*` endpoint accepts props via query parameters without server-side hash validation, allowing the same path to return different content depending on query parameters. If an upstream cache keys on path only, an attacker can inject crafted props into cached responses — enabling XSS if the application renders those props through unsafe HTML sinks.

On Netlify, [cached function responses vary by query string](https://docs.netlify.com/build/caching/caching-overview/#default-caching-behavior). **This vulnerability requires overriding Netlify’s default `Netlify-Vary` behavior and is not exploitable in standard Netlify deployments.**

### CVE-2026-45670 (dev server source exposure)

Running `nuxt dev --host` binds the development server to a non-loopback address; with the rspack or webpack builder (not the default Vite builder), malicious sites on the same network can access the application’s source code. This only affects local development environments.

**Netlify production deployments are not affected.** Developers should avoid using `--host` with rspack or webpack builders, or upgrade to patch the issue.

### CVE-2026-45669 (reflected XSS via `navigateTo`)

When `navigateTo()` is called with `external: true`, Nuxt generates a server-side HTML meta-refresh redirect. The destination URL is insufficiently sanitized — HTML-significant characters are not encoded, so an attacker who controls the URL parameter can inject arbitrary scripts that execute before the redirect occurs.

**Regardless of hosting provider, all apps passing untrusted user input to `navigateTo()` with `external: true` are vulnerable.**

## What should I do?

We strongly recommend upgrading as soon as possible to patched releases:

-   `nuxt` 3.21.6 or later (for Nuxt 3.x), or 4.4.6 or later (for Nuxt 4.x)
-   `@nuxt/rspack-builder` and `@nuxt/webpack-builder` 3.21.6 or later, or 4.4.6 or later (if applicable)

Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).

## Resources

-   [Nuxt security advisories](https://github.com/nuxt/nuxt/security)