Security: nuxt/nuxt
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcherGHSA-mm7m-92g8-7m47 published
Jun 2, 2026 by danielroeHigh -
Cross-site scripting via <NoScript> slot content in Nuxt's head componentsGHSA-m3q2-p4fw-w38m published
Jun 2, 2026 by danielroeLow -
URL-handling weaknesses in `navigateTo` and `reloadNuxtApp`: SSR open redirect, client-side script execution via the `open` option, and protocol-relative bypass in `reloadNuxtApp`GHSA-c9cv-mq2m-ppp3 published
Jun 2, 2026 by danielroeModerate -
Nuxt dev server vite-node IPC socket is world-connectable on LinuxGHSA-534h-c3cw-v3h9 published
Jun 2, 2026 by danielroeModerate -
@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)GHSA-x6qj-4h56-5rj5 published
Jun 2, 2026 by danielroeModerate -
Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URLGHSA-934w-87qh-qr26 published
Jun 2, 2026 by danielroeModerate -
Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json`GHSA-rq7w-g337-39qq published
Jun 2, 2026 by danielroeLow -
Reflected XSS in `navigateTo` external redirectGHSA-fx6j-w5w5-h468 published
May 18, 2026 by danielroeModerate -
Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)GHSA-6m52-m754-pw2g published
May 18, 2026 by danielroeModerate -
`__nuxt_island` response not bound to request propsGHSA-g8wj-3cr3-6w7v published
May 18, 2026 by danielroeLow