Nuxt vulnerable to remote code execution via the browser when running the test locally

Severity:: High

Description

Due to the insufficient validation of the path parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands.

Recommendation

Update the nuxt package to the latest compatible version. Followings are version details:

Affected version(s): >= 3.4.0, < 3.12.4
Patched version(s): 3.12.4

References

GHSA-v784-fjjh-f8r4
CVE-2024-34344
CWE-706
CWE-94
CAPEC-310
OWASP 2021-A1
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
angular-base64-upload vulnerable to unauthenticated remote code execution - CVE-2024-42640
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417
Angular Expressions - Remote Code Execution when using locals - CVE-2024-54152

Tags:: npm; nuxt

Anything's wrong? Let us know Last updated on November 18, 2024