+ "details": "### Summary\n\nA client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met.\n\n### Technical Details\n\nThe vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized `__nuxt_island` objects. The issue affects the following flow:\n\n1. During prerendering, if an API endpoint returns user-controlled data containing a crafted `__nuxt_island` object\n2. This data gets serialized with `devalue.stringify` and stored in the prerendered page\n3. When a client navigates to the prerendered page, `devalue.parse` deserializes the payload\n4. The Island reviver attempts to fetch `/__nuxt_island/${key}.json` where `key` could contain path traversal sequences\n\n### Prerequisites for Exploitation\n\nThis vulnerability requires **all** of the following conditions:\n\n1. **Prerendered pages**: The application must use Nuxt's prerendering feature (`nitro.prerender`)\n2. **Attacker-controlled API responses**: The attacker must be able to control the response content of an API endpoint that is called during prerendering via `useFetch`, `useAsyncData`, or similar composables\n3. **Client-side navigation**: A user must navigate to the prerendered page (not during initial SSR hydration)\n\n### Attack Scenario\n\n```javascript\n// Malicious API response during prerendering\n{\n \"__nuxt_island\": {\n \"key\": \"../../../../internal/service\",\n \"params\": { \"action\": \"probe\" }\n }\n}\n```\n\nThis could cause the client to make requests to `/__nuxt_island/../../../../internal/service.json` if path traversal is not properly handled by the server.\n\n### Impact Assessment\n\n- **Limited Impact**: The vulnerability has a low severity due to the highly specific prerequisites\n- **No Direct Data Exfiltration**: The vulnerability does not directly expose sensitive data\n- **Client-Side Only**: Requests originate from the client, not the server\n\n### Mitigation\n\n**Action Required:**\n- Update to Nuxt 3.19.0+ or 4.1.0+ immediately\n- Review any prerendered pages that fetch external or user-controlled data\n\n**Temporary Workarounds** (if immediate update is not possible):\n1. Disable prerendering for pages that fetch user-controlled data\n2. Implement strict input validation on API endpoints used during prerendering\n3. Use allowlists for API response structures during prerendering\n\n### Fix Details\n\n[The fix](https://github.com/nuxt/nuxt/commit/2566d2046bccb158d98fb13e42ce4b2c33fb2595) implemented validation for Island keys in `revive-payload.server.ts`:\n- Island keys must match the pattern `/^[a-z][a-z\\d-]*_[a-z\\d]+$/i`\n- Maximum length of 100 characters\n- Prevents path traversal and special characters",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments