Vulnerability in Nuxt's `navigateTo` function can allow for JavaScript injection

CVE-2024-34343

Summary

The Nuxt framework is designed for building full-stack web applications with Vue.js but contains a vulnerability in its navigateTo function that incorrectly handles URL protocols. Specifically, while it aims to block the 'javascript:' protocol, the implementation fails to utilize proper parsing techniques from the unjs/ufo library. This oversight leads to a situation where certain malformed URLs, such as 'javascript:alert(1)', are not accurately parsed, resulting in ineffective script checks. The failure to identify and strip whitespace during parsing further complicates protocol validation, allowing attackers to circumvent security mechanisms by exploiting this behavior. The vulnerability primarily impacts scenarios post-Server-Side Rendering (SSR), where improperly validated protocols could potentially compromise the integrity of web applications. Users are strongly encouraged to upgrade to version 3.12.4 to mitigate this issue, as there are currently no known workarounds.

References