Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning - @nuxt/nitro-server
- Severity:
- Low
Description
The /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>.
Recommendation
Update the @nuxt/nitro-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 4.2.0, <= 4.4.5 >= 3.20.0, <= 3.21.5** Patched version(s): **4.4.6 3.21.6**
References
- GHSA-g8wj-3cr3-6w7v
- CVE-2026-46342
- CWE-349
- CWE-444
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A4
- OWASP 2021-A6
Related Issues
- Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning - CVE-2026-46342
- Parse Server has a rate limit bypass via batch request endpoint - CVE-2026-30972
- Parse Server session creation endpoint allows overwriting server-generated session fields - CVE-2026-32742
- Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands - CVE-2026-29772
You might also like:
- Tags:
- npm
- @nuxt/nitro-server
Anything's wrong? Let us know Last updated on May 19, 2026