Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning

Severity:: Low

Description

The /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>.

Recommendation

Update the nuxt package to the latest compatible version. Followings are version details:

Affected version(s): **>= 4.0.0-alpha.1, <= 4.4.5 >= 3.1.0, <= 3.21.5**
Patched version(s): **4.4.6 3.21.6**

References

GHSA-g8wj-3cr3-6w7v
CVE-2026-46342
CWE-349
CWE-444
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A4
OWASP 2021-A6

Related Issues

Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning - @nuxt/nitro-server - CVE-2026-46342
Strapi: Password Reset Does Not Revoke Existing Refresh Sessions - @strapi/plugin-users-permissions - CVE-2026-22706
Parse Server has a rate limit bypass via batch request endpoint - CVE-2026-30972
Svelte SSR does not validate dynamic element tag names in `<svelte:element>` - CVE-2026-27122

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; nuxt

Anything's wrong? Let us know Last updated on May 19, 2026