Cache Poisoning Vulnerability in Nuxt Framework by Nuxt Team
CVE-2025-27415

7.5HIGH

Key Information:

Vendor
Nuxt
Status
Nuxt
Vendor
CVE Published:
19 March 2025

Badges

📈 Score: 672👾 Exploit Exists📰 News Worthy

What is CVE-2025-27415?

CVE-2025-27415 is a vulnerability identified in the Nuxt framework, which is an open-source web development framework designed for building applications using Vue.js. This vulnerability is particularly concerning as it allows attackers to send specially crafted HTTP requests that can poison the cache of a Content Delivery Network (CDN) in front of a Nuxt application. When exploited, this flaw can render the affected site unavailable, disrupting services and leading to potential reputational and financial damage for organizations relying on this framework for their web applications.

Technical Details

The vulnerability exists in versions prior to 3.16.0 of the Nuxt framework. By submitting a specific type of HTTP request, such as one designed to retrieve response data in JSON format, an attacker can manipulate the behavior of the CDN caching mechanism. If the CDN does not properly consider the request's query string when determining what to cache, it can serve the poisoned state of the site to future visitors. In particularly malicious cases, an attacker could implement a script to repeatedly send requests, creating a scenario where the cache remains continually poisoned, effectively making the site perpetually unavailable.

Potential Impact of CVE-2025-27415

  1. Service Disruption: The primary impact of this vulnerability is the potential for significant service disruption, where affected organizations may experience prolonged downtime due to poisoned cache responses being served to users.

  2. Reputational Damage: With an inability to deliver services effectively, organizations may suffer reputational harm, particularly if customers or clients are negatively impacted by service outages, which could lead to loss of trust in the organization’s reliability.

  3. Financial Loss: Prolonged downtime and service interruptions can lead to direct financial losses, particularly for e-commerce or service-oriented organizations that rely on their websites for transactions or customer interactions.

Affected Version(s)

nuxt >= 3.0.0, < 3.16.0

News Articles

favicon imageNational Institute of Standards and Technology (.gov)

NVD - CVE-2025-27415

Description Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some...

References

https://github.com/nuxt/nuxt/security/advisories/GHSA-jvh...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by National Institute of Standards and Technology (.gov)

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-27415 : Cache Poisoning Vulnerability in Nuxt Framework by Nuxt Team | SecurityVulnerability.io