Posts tagged "Nuxt-js"
-
The Nuxt team has disclosed four security vulnerabilities. Here’s what Netlify customers need to know.
Vulnerabilities
- CVE-2026-47200: Route middleware bypass via island page endpoints (nuxt 3.11.0–3.21.5, 4.0.0-alpha.1–4.4.5)
- CVE-2026-46342: Island response not validated against request props (nuxt 3.1.0–3.21.5, 4.0.0-alpha.1–4.4.5)
- CVE-2026-45670: Dev server exposes built source over LAN (nuxt 3.15.4–3.21.5, 4.0.0-alpha.1–4.4.5)
- CVE-2026-45669: Reflected XSS via
navigateTowithexternal: true(nuxt 3.4.3–3.21.5, 4.0.0-alpha.1–4.4.5)
Impact on Netlify
CVE-2026-47200 (route middleware bypass)
When component islands are enabled — the default in Nuxt 4, and available via an opt-in flag in Nuxt 3 —
.server.vuepage files are accessible via/__nuxt_island/page_*endpoints that render pages without invoking Vue Router, bypassing route middleware entirely. An unauthenticated attacker can request these endpoints directly to access pages that rely solely on middleware for access control.Regardless of hosting provider, all affected Nuxt apps using
.server.vuepages with route-middleware-only authentication are vulnerable.CVE-2026-46342 (island cache poisoning)
The
/__nuxt_island/*endpoint accepts props via query parameters without server-side hash validation, allowing the same path to return different content depending on query parameters. If an upstream cache keys on path only, an attacker can inject crafted props into cached responses — enabling XSS if the application renders those props through unsafe HTML sinks.On Netlify, cached function responses vary by query string. This vulnerability requires overriding Netlify’s default
Netlify-Varybehavior and is not exploitable in standard Netlify deployments.CVE-2026-45670 (dev server source exposure)
Running
nuxt dev --hostbinds the development server to a non-loopback address; with the rspack or webpack builder (not the default Vite builder), malicious sites on the same network can access the application’s source code. This only affects local development environments.Netlify production deployments are not affected. Developers should avoid using
--hostwith rspack or webpack builders, or upgrade to patch the issue.CVE-2026-45669 (reflected XSS via
navigateTo)When
navigateTo()is called withexternal: true, Nuxt generates a server-side HTML meta-refresh redirect. The destination URL is insufficiently sanitized — HTML-significant characters are not encoded, so an attacker who controls the URL parameter can inject arbitrary scripts that execute before the redirect occurs.Regardless of hosting provider, all apps passing untrusted user input to
navigateTo()withexternal: trueare vulnerable.What should I do?
We strongly recommend upgrading as soon as possible to patched releases:
nuxt3.21.6 or later (for Nuxt 3.x), or 4.4.6 or later (for Nuxt 4.x)@nuxt/rspack-builderand@nuxt/webpack-builder3.21.6 or later, or 4.4.6 or later (if applicable)
Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are automatically deleted. Consider deleting these deploys manually.
Resources
-
Today we’re announcing two major updates for Nuxt developers on Netlify:
Day-One Nuxt 4 Support
Nuxt 4 launched today, and Netlify is ready. Deploy your Nuxt 4 apps with zero configuration changes—everything just works. Everything is fully compatible from day one.
Learn more about leveraging platform primitives with Nuxt.
Full Platform Emulation in Your Dev Server with @netlify/nuxt
We’re also launching
@netlify/nuxttoday, a new Nuxt module that brings the entire Netlify platform into your local development environment. Functions, Edge Functions, Blobs, Image CDN, env vars, headers, and redirects all work directly innuxt dev—no separate CLI required.Add the module to your Nuxt 3 or Nuxt 4 app with one command:
npx nuxi module add @netlify/nuxtThis simplifies local development and enables AI coding assistants to build full-stack apps with immediate feedback.