---
title: "Nuxt-js | Netlify Changelog"
description: "Get the latest updates on Netlify products and features to meet your developer needs."
source: "https://www.netlify.com/changelog/tag/nuxt-js/"
last_updated: "2026-07-15T23:33:44.000Z"
---
# Posts tagged "Nuxt-js"

All Tags Agent-runners AI Ai-gateway Angular Astro AX Build CLI Database Design Devtools Domains E-commerce Extensions Forms Framework Functions Logs Next.js Nuxt.js Remix SDK Security Updates Workflow  [Subscribe to feed](https://www.netlify.com/changelog/tag/nuxt-js/feed.xml)

-   [
    
    ## Security update: multiple vulnerabilities in Nuxt
    
    ](/changelog/2026-05-19-nuxt-security-vulnerabilities/)
    
    May 19, 2026
    
    -   [security](/changelog/tag/security/)
    -   [nuxt.js](/changelog/tag/nuxt-js/)
    
    The Nuxt team has disclosed four security vulnerabilities. Here’s what Netlify customers need to know.
    
    ## Vulnerabilities
    
    -   [**CVE-2026-47200**](https://github.com/nuxt/nuxt/security/advisories/GHSA-hg3f-28rg-4jxj): Route middleware bypass via island page endpoints (nuxt 3.11.0–3.21.5, 4.0.0-alpha.1–4.4.5)
    -   [**CVE-2026-46342**](https://github.com/nuxt/nuxt/security/advisories/GHSA-g8wj-3cr3-6w7v): Island response not validated against request props (nuxt 3.1.0–3.21.5, 4.0.0-alpha.1–4.4.5)
    -   [**CVE-2026-45670**](https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g): Dev server exposes built source over LAN (nuxt 3.15.4–3.21.5, 4.0.0-alpha.1–4.4.5)
    -   [**CVE-2026-45669**](https://github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468): Reflected XSS via `navigateTo` with `external: true` (nuxt 3.4.3–3.21.5, 4.0.0-alpha.1–4.4.5)
    
    ## Impact on Netlify
    
    ### CVE-2026-47200 (route middleware bypass)
    
    When component islands are enabled — the default in Nuxt 4, and available via an opt-in flag in Nuxt 3 — `.server.vue` page files are accessible via `/__nuxt_island/page_*` endpoints that render pages without invoking Vue Router, bypassing route middleware entirely. An unauthenticated attacker can request these endpoints directly to access pages that rely solely on middleware for access control.
    
    **Regardless of hosting provider, all affected Nuxt apps using `.server.vue` pages with route-middleware-only authentication are vulnerable.**
    
    ### CVE-2026-46342 (island cache poisoning)
    
    The `/__nuxt_island/*` endpoint accepts props via query parameters without server-side hash validation, allowing the same path to return different content depending on query parameters. If an upstream cache keys on path only, an attacker can inject crafted props into cached responses — enabling XSS if the application renders those props through unsafe HTML sinks.
    
    On Netlify, [cached function responses vary by query string](https://docs.netlify.com/build/caching/caching-overview/#default-caching-behavior). **This vulnerability requires overriding Netlify’s default `Netlify-Vary` behavior and is not exploitable in standard Netlify deployments.**
    
    ### CVE-2026-45670 (dev server source exposure)
    
    Running `nuxt dev --host` binds the development server to a non-loopback address; with the rspack or webpack builder (not the default Vite builder), malicious sites on the same network can access the application’s source code. This only affects local development environments.
    
    **Netlify production deployments are not affected.** Developers should avoid using `--host` with rspack or webpack builders, or upgrade to patch the issue.
    
    ### CVE-2026-45669 (reflected XSS via `navigateTo`)
    
    When `navigateTo()` is called with `external: true`, Nuxt generates a server-side HTML meta-refresh redirect. The destination URL is insufficiently sanitized — HTML-significant characters are not encoded, so an attacker who controls the URL parameter can inject arbitrary scripts that execute before the redirect occurs.
    
    **Regardless of hosting provider, all apps passing untrusted user input to `navigateTo()` with `external: true` are vulnerable.**
    
    ## What should I do?
    
    We strongly recommend upgrading as soon as possible to patched releases:
    
    -   `nuxt` 3.21.6 or later (for Nuxt 3.x), or 4.4.6 or later (for Nuxt 4.x)
    -   `@nuxt/rspack-builder` and `@nuxt/webpack-builder` 3.21.6 or later, or 4.4.6 or later (if applicable)
    
    Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).
    
    ## Resources
    
    -   [Nuxt security advisories](https://github.com/nuxt/nuxt/security)
    
    [Permalink to Security update: multiple vulnerabilities in Nuxt Permalink](/changelog/2026-05-19-nuxt-security-vulnerabilities/)
    
-   [
    
    ## Nuxt 4 support + new @netlify/nuxt module for local dev
    
    ](/changelog/nuxt-4-support-new-netlify-nuxt-module-for-local-dev/)
    
    July 15, 2025
    
    -   [nuxt.js](/changelog/tag/nuxt-js/)
    -   [devtools](/changelog/tag/devtools/)
    
    Today we’re announcing two major updates for Nuxt developers on Netlify:
    
    ## Day-One Nuxt 4 Support
    
    [Nuxt 4 launched today](https://nuxt.com/blog/v4), and Netlify is ready. Deploy your Nuxt 4 apps with zero configuration changes—everything just works. Everything is fully compatible from day one.
    
    [Learn more about leveraging platform primitives with Nuxt](https://www.netlify.com/blog/platform-primitives-with-nuxt-4).
    
    ## Full Platform Emulation in Your Dev Server with @netlify/nuxt
    
    We’re also launching `@netlify/nuxt` today, a new Nuxt module that brings the entire Netlify platform into your local development environment. Functions, Edge Functions, Blobs, Image CDN, env vars, headers, and redirects all work directly in `nuxt dev`—no separate CLI required.
    
    Add the module to your Nuxt 3 or Nuxt 4 app with one command:
    
    ```
    npx nuxi module add @netlify/nuxt
    ```
    
    This simplifies local development and enables AI coding assistants to build full-stack apps with immediate feedback.
    
    [Read the complete guide](https://developers.netlify.com/guides/run-serverless-functions-storage-and-more-in-your-nuxt-dev-server-with-netlify-nuxt/).
    
    [Permalink to Nuxt 4 support + new @netlify/nuxt module for local dev Permalink](/changelog/nuxt-4-support-new-netlify-nuxt-module-for-local-dev/)