Summary
A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met.
Technical Details
The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. The issue affects the following flow:
- During prerendering, if an API endpoint returns user-controlled data containing a crafted
__nuxt_island object
- This data gets serialized with
devalue.stringify and stored in the prerendered page
- When a client navigates to the prerendered page,
devalue.parse deserializes the payload
- The Island reviver attempts to fetch
/__nuxt_island/${key}.json where key could contain path traversal sequences
Prerequisites for Exploitation
This vulnerability requires all of the following conditions:
- Prerendered pages: The application must use Nuxt's prerendering feature (
nitro.prerender)
- Attacker-controlled API responses: The attacker must be able to control the response content of an API endpoint that is called during prerendering via
useFetch, useAsyncData, or similar composables
- Client-side navigation: A user must navigate to the prerendered page (not during initial SSR hydration)
Attack Scenario
// Malicious API response during prerendering
{
"__nuxt_island": {
"key": "../../../../internal/service",
"params": { "action": "probe" }
}
}This could cause the client to make requests to /__nuxt_island/../../../../internal/service.json if path traversal is not properly handled by the server.
Impact Assessment
- Limited Impact: The vulnerability has a low severity due to the highly specific prerequisites
- No Direct Data Exfiltration: The vulnerability does not directly expose sensitive data
- Client-Side Only: Requests originate from the client, not the server
Mitigation
Action Required:
- Update to Nuxt 3.19.0+ or 4.1.0+ immediately
- Review any prerendered pages that fetch external or user-controlled data
Temporary Workarounds (if immediate update is not possible):
- Disable prerendering for pages that fetch user-controlled data
- Implement strict input validation on API endpoints used during prerendering
- Use allowlists for API response structures during prerendering
Fix Details
The fix implemented validation for Island keys in revive-payload.server.ts:
- Island keys must match the pattern
/^[a-z][a-z\d-]*_[a-z\d]+$/i
- Maximum length of 100 characters
- Prevents path traversal and special characters
References
Summary
A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met.
Technical Details
The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized
__nuxt_islandobjects. The issue affects the following flow:__nuxt_islandobjectdevalue.stringifyand stored in the prerendered pagedevalue.parsedeserializes the payload/__nuxt_island/${key}.jsonwherekeycould contain path traversal sequencesPrerequisites for Exploitation
This vulnerability requires all of the following conditions:
nitro.prerender)useFetch,useAsyncData, or similar composablesAttack Scenario
This could cause the client to make requests to
/__nuxt_island/../../../../internal/service.jsonif path traversal is not properly handled by the server.Impact Assessment
Mitigation
Action Required:
Temporary Workarounds (if immediate update is not possible):
Fix Details
The fix implemented validation for Island keys in
revive-payload.server.ts:/^[a-z][a-z\d-]*_[a-z\d]+$/iReferences