npm/nuxt — 8 CVEs · VulnScope

HIGH8.8CVE-2024-34344Nuxt vulnerable to remote code execution via the browser when running the test locally

>= 3.4.0, < 3.12.4

HIGH8.1CVE-2023-3224nuxt Code Injection vulnerability

>= 3.4.0, < 3.4.3

HIGH7.5CVE-2025-27415Nuxt allows DOS via cache poisoning with payload rendering response

>= 3.0.0, < 3.16.0

MEDIUM6.3nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR

from 0, < 3.12.4

LOW3.1Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival

>= 3.6.0, < 3.19.0

—Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`

>= 3.11.0, < 3.21.6

—Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning

>= 3.1.0, < 3.21.6

—Nuxt: Reflected XSS in `navigateTo()` external redirect

>= 3.4.3, < 3.21.6

pkg:npm/nuxt