nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR
- Severity:
- Medium
Description
The navigateTo function attempts to blockthe javascript: protocol, but does not correctly use API’s provided by unjs/ufo. This library also contains parsing discrepancies.
Recommendation
Update the nuxt package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.12.4
- Patched version(s): 3.12.4
References
Related Issues
- vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS) - CVE-2024-6783
- Nuxt DevTools vulnerable to cross-site scripting (XSS) - CVE-2025-52662
- Summernote vulnerable to cross-site scripting - CVE-2024-29504
- vue-i18n has cross-site scripting vulnerability with prototype pollution (GHSA-9r9m-ffp6-9x4v) 4 - CVE-2024-52809
- Tags:
- npm
- nuxt
Anything's wrong? Let us know Last updated on May 15, 2025