Nuxt vulnerable to remote code execution via the browser when running the test locally

Severity:: High

Description

Due to the insufficient validation of the path parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands.

Recommendation

Update the nuxt package to the latest compatible version. Followings are version details:

Affected version(s): >= 3.4.0, < 3.12.4
Patched version(s): 3.12.4

References

GHSA-v784-fjjh-f8r4
CVE-2024-34344
CWE-706
CWE-94
CAPEC-310
OWASP 2021-A1
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package - CVE-2025-68619
Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417
angular-base64-upload vulnerable to unauthenticated remote code execution - CVE-2024-42640

Tags:: npm; nuxt

Anything's wrong? Let us know Last updated on November 18, 2024