Nuxt vulnerable to remote code execution via the browser when running the test locally

Severity:: High

Description

Due to the insufficient validation of the path parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands.

Recommendation

Update the nuxt package to the latest compatible version. Followings are version details:

Affected version(s): >= 3.4.0, < 3.12.4
Patched version(s): 3.12.4

References

GHSA-v784-fjjh-f8r4
CVE-2024-34344
CWE-706
CWE-94
CAPEC-310
OWASP 2021-A1
OWASP 2021-A3
OWASP 2021-A6

Related Issues

FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass - CVE-2026-43947
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417
Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package - CVE-2025-68619
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - paperclipai - CVE-2026-41679

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; nuxt

Anything's wrong? Let us know Last updated on November 18, 2024