nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)

Description

The isBlockedUrl() denylist introduced in [email protected] to remediate GHSA-pqhr-mp3f-hrpp (Dmitry Prokhorov / Positive Technologies, March 2026) is incomplete.

Recommendation

Update the nuxt-og-image package to the latest compatible version. Followings are version details:

• Affected version(s): >= 6.2.5, < 6.4.9
• Patched version(s): 6.4.9

References

• GHSA-c2rm-g55x-8hr5
• CVE-2026-44589
• CWE-918
• CAPEC-310
• OWASP 2021-A10
• OWASP 2021-A6

Related Issues

• Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4) - CVE-2026-41321
• Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99) - @nuxt/webpack-builder - CVE-2026-45670
• LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader - CVE-2026-27795
• Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration - CVE-2026-45715

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

CSRF, XXE, and 12 Other Security Acronyms Explained

Update Cheat Sheet for Developers

Tags:

npm

nuxt-og-image