Description
nuxt/icon provides an API to allow client side icon lookup. This endpoint is at /api/_nuxt_icon/[name].
The proxied request path is improperly parsed, allowing an attacker to change the scheme and host of the request. This leads to SSRF, and could potentially lead to sensitive data exposure.
Recommendation
Update the @nuxt/icon package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.4.4
- Patched version(s): 1.4.5
References
Related Issues
- Strapi Server-Side Request Forgery (SSRF) - CVE-2024-37818
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) (GHSA-x8rq-rc7x-5fg5) - CVE-2022-0086
- Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-15104
- @lobehub/chat Server Side Request Forgery vulnerability - CVE-2024-32965
- Tags:
- npm
- @nuxt/icon
Anything's wrong? Let us know Last updated on August 06, 2024