Nuxt vulnerable to remote code execution via the browser when running the test locally

Severity:: High

Description

Due to the insufficient validation of the path parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands.

Recommendation

Update the nuxt package to the latest compatible version. Followings are version details:

Affected version(s): >= 3.4.0, < 3.12.4
Patched version(s): 3.12.4

References

GHSA-v784-fjjh-f8r4
CVE-2024-34344
CWE-706
CWE-94
CAPEC-310
OWASP 2021-A1
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival - CVE-2025-59414
Nuxt allows DOS via cache poisoning with payload rendering response - CVE-2025-27415
nuxt Code Injection vulnerability - CVE-2023-3224
nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR - CVE-2024-34343

Tags:: npm; nuxt

Anything's wrong? Let us know Last updated on November 18, 2024