While there have been a number of vulnerabilities discovered within core Nuxt packages, the Nuxt team are generally responsive to issues and fix them quickly.
The majority of code I've encountered in core Nuxt packages is well written, however fairly basic issues have seemed to slipped through the net a number of times. Since version 3.6, there have been no public vulnerability disclosures in any core Nuxt packages, I would attribute this to their increased security awareness.
I have not encountered any high severity vulnerabilities that impact Nuxt in a production environment. These environments are well written and have a small attack surface.
My only concern is that they rarely publish security findings widely, and tend to quietly include security fixes within the next release. While this does reduce the risk of embarssement, and damaging their brand, it means users are not aware of any risks, and cannot make an informed descion to update. In my opinion it is better to been seen fixing issues quickly rather than not be seen fixing them at all.
A path traversal vulnerability within Nuxt Devtools could allow remote, unauthenticated attackers to perform a an attack against a locally hosted instance of Nuxt with devtools enabled. This could lead to Remote Code Execution.
This was given a score of 9.8.
This issue was never published by the Nuxt team officially. I've published a copy of my report on the site.
This section includes any high scoring vulnerabilities you should be aware of with details on their cause & exploitation.
Nov 21, 2023 - @nuxt/devtools
8.8 - High
Unauthenticated Path Traversal (Arbitary File Read)
- Convince a user to visit their malicious site
- Malicious site connects to the devtools websocket on
- Malicious site sends the malicious payload to leak the authentication token.
- Malicious site authenticates to devtools.
- Their site then triggers a dangerous action, e.g modify the
app.vuefile to include an unrestricted
Jun 14, 2023 - @nuxt/devtools
9.8 - Critical
Missing Authentication for Storage Actions
setStorageItem RPC function did not have any authentication checks. This could allow an attacker to overwrite the
client.manifest.mjs file, which will be executed if Nuxt is restarted. A restart could also be triggered using the
restartNuxt RPC.This impacts all development builds, where @nuxt/devtools is installed & enabled (this is the default in most nuxt templates). The environment does not need to have been exposed to the internet to be at risk. This is not a risk in production builds.
May 11, 2023 - @nuxt/devtools
9.8 - Critical
Missing Authentication for Multiple Sensitive Actions
Apr 27, 2023 - nuxt
9.8 - Critical
Dangerous function exposed in development environment.
/__nuxt_component_test__ route in v3.4.0 - 3.4.2This can allow an attacker to execute code remotely by using a special url scheme in the
path parameter.This impacts all development builds. The environment does not need to have been exposed to the internet to be at risk. This is not a risk in production builds.
This section details lower risk vulnerabilities that existed within Nuxt. These are important to patch but unlikely to cause serious harm immediately.
Feb 7, 2023 - nuxt
6.1 - Medium
XSS within title tag
useHead function.Most noteably, this impacts the title field, which is often controlled by user input, such as username.There is some evidence a variant of this issue was silently fixed recently.
Jul 27, 2022 - unstorage
7.5 - High
Path traversal in filesystem storage driver.
Jul 5, 2022 - nuxt
6.5 - Medium
Weak hash function can lead to XSS or defacement
useFetch function. If an attacker can control part of the output from a subsequent
useFetch call, the data from the original call can be replaced. Full demo.This issue has not been fully patched, and is still possible by finding a partial collision of a SHA256 hash. I've published a copy of my report on the site. Essentially, it would be incredibly computationally expensive, but with a google knowledge of your target you could develop an exploit.
You can find more Nuxt related securiy vulnerabilities on my huntr.dev profile. Huntr has recently stopped accepting disclosures for open-source respositories, so you can expect to find newer issues in their Repository's Security Tab on Github.