Dec 17, 2023

Nuxt Vulnerabilities

An outline of historical vulnerabilities within Nuxt v3. Details on their cause, and risks.

Is Nuxt Secure?

While there have been a number of vulnerabilities discovered within core Nuxt packages, the Nuxt team are generally responsive to issues and fix them quickly.

The majority of code I've encountered in core Nuxt packages is well written, however fairly basic issues have seemed to slipped through the net a number of times. Since version 3.6, there have been no public vulnerability disclosures in any core Nuxt packages, I would attribute this to their increased security awareness.

I have not encountered any high severity vulnerabilities that impact Nuxt in a production environment. These environments are well written and have a small attack surface.

My only concern is that they rarely publish security findings widely, and tend to quietly include security fixes within the next release. While this does reduce the risk of embarssement, and damaging their brand, it means users are not aware of any risks, and cannot make an informed descion to update. In my opinion it is better to been seen fixing issues quickly rather than not be seen fixing them at all.

What is the latest Nuxt vulnerability?

A path traversal vulnerability within Nuxt Devtools could allow remote, unauthenticated attackers to perform a an attack against a locally hosted instance of Nuxt with devtools enabled. This could lead to Remote Code Execution.

This was given a score of 9.8.

This issue was never published by the Nuxt team officially. I've published a copy of my report on the site.

High Risk & Noteable Vulnerabilities

This section includes any high scoring vulnerabilities you should be aware of with details on their cause & exploitation.

Nov 21, 2023 - @nuxt/devtools

8.8 - High

Unauthenticated Path Traversal (Arbitary File Read)

This vulnerability was disclosed & fixed, but never published by the vendor.

Jun 14, 2023 - @nuxt/devtools

9.8 - Critical

Missing Authentication for Storage Actions

This vulnerability was disclosed & fixed, but never published by the vendor.

May 11, 2023 - @nuxt/devtools

9.8 - Critical

Missing Authentication for Multiple Sensitive Actions

Apr 27, 2023 - nuxt

9.8 - Critical

Dangerous function exposed in development environment.

Lower Risk Vulnerabilities

This section details lower risk vulnerabilities that existed within Nuxt. These are important to patch but unlikely to cause serious harm immediately.

Feb 7, 2023 - nuxt

6.1 - Medium

XSS within title tag

Jul 27, 2022 - unstorage

7.5 - High

Path traversal in filesystem storage driver.

Jul 5, 2022 - nuxt

6.5 - Medium

Weak hash function can lead to XSS or defacement

This vulnerability was disclosed & fixed, but regressed and was not fixed again.

More Issues

You can find more Nuxt related securiy vulnerabilities on my profile. Huntr has recently stopped accepting disclosures for open-source respositories, so you can expect to find newer issues in their Repository's Security Tab on Github.