Security update: multiple vulnerabilities in Nuxt
May 19, 2026
The Nuxt team has disclosed four security vulnerabilities. Here’s what Netlify customers need to know.
Vulnerabilities
- CVE-2026-47200: Route middleware bypass via island page endpoints (nuxt 3.11.0–3.21.5, 4.0.0-alpha.1–4.4.5)
- CVE-2026-46342: Island response not validated against request props (nuxt 3.1.0–3.21.5, 4.0.0-alpha.1–4.4.5)
- CVE-2026-45670: Dev server exposes built source over LAN (nuxt 3.15.4–3.21.5, 4.0.0-alpha.1–4.4.5)
- CVE-2026-45669: Reflected XSS via
navigateTowithexternal: true(nuxt 3.4.3–3.21.5, 4.0.0-alpha.1–4.4.5)
Impact on Netlify
CVE-2026-47200 (route middleware bypass)
When component islands are enabled — the default in Nuxt 4, and available via an opt-in flag in Nuxt 3 — .server.vue page files are accessible via /__nuxt_island/page_* endpoints that render pages without invoking Vue Router, bypassing route middleware entirely. An unauthenticated attacker can request these endpoints directly to access pages that rely solely on middleware for access control.
Regardless of hosting provider, all affected Nuxt apps using .server.vue pages with route-middleware-only authentication are vulnerable.
CVE-2026-46342 (island cache poisoning)
The /__nuxt_island/* endpoint accepts props via query parameters without server-side hash validation, allowing the same path to return different content depending on query parameters. If an upstream cache keys on path only, an attacker can inject crafted props into cached responses — enabling XSS if the application renders those props through unsafe HTML sinks.
On Netlify, cached function responses vary by query string. This vulnerability requires overriding Netlify’s default Netlify-Vary behavior and is not exploitable in standard Netlify deployments.
CVE-2026-45670 (dev server source exposure)
Running nuxt dev --host binds the development server to a non-loopback address; with the rspack or webpack builder (not the default Vite builder), malicious sites on the same network can access the application’s source code. This only affects local development environments.
Netlify production deployments are not affected. Developers should avoid using --host with rspack or webpack builders, or upgrade to patch the issue.
CVE-2026-45669 (reflected XSS via navigateTo)
When navigateTo() is called with external: true, Nuxt generates a server-side HTML meta-refresh redirect. The destination URL is insufficiently sanitized — HTML-significant characters are not encoded, so an attacker who controls the URL parameter can inject arbitrary scripts that execute before the redirect occurs.
Regardless of hosting provider, all apps passing untrusted user input to navigateTo() with external: true are vulnerable.
What should I do?
We strongly recommend upgrading as soon as possible to patched releases:
nuxt3.21.6 or later (for Nuxt 3.x), or 4.4.6 or later (for Nuxt 4.x)@nuxt/rspack-builderand@nuxt/webpack-builder3.21.6 or later, or 4.4.6 or later (if applicable)
Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are automatically deleted. Consider deleting these deploys manually.