Nuxt Framework Vulnerability Allows Arbitrary Code Execution
CVE-2024-34344

8.8HIGH

Key Information:

Vendor: Nuxt
Status: Nuxt
Vendor: CVE Published:; 5 August 2024

Summary

The Nuxt framework, an open-source tool used for building web applications with Vue.js, has a vulnerability resulting from inadequate validation of the 'path' parameter within the NuxtTestComponentWrapper. This flaw enables attackers to execute arbitrary JavaScript code on the server side. When users run tests locally and access malicious web pages, an attacker can exploit this vulnerability, leading to potential remote code execution. The impact can be particularly severe, as it allows malicious web pages to send requests to arbitrary addresses. Consequently, the vulnerability could be triggered every time the test server runs, making it critical for users to apply necessary security measures.

Affected Version(s)

nuxt >= 3.4.0 < 3.12.4

References

https://github.com/nuxt/nuxt/security/advisories/GHSA-v78...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Aug 5, 2024
Vulnerability Reserved
May 2, 2024