Nuxtjs, Client-Side Path Traversal, CVE-2024-5719 (Low)

Listen to this Post

The vulnerability exists in the client-side payload revival mechanism (revive-payload.client.ts). During prerendering, if an API endpoint returns attacker-controlled data containing a crafted `__nuxt_island` object, it is serialized into the page HTML. Upon client-side navigation, the `devalue.parse` function deserializes this payload. The Nuxt Island reviver then automatically attempts to fetch a JSON payload from the path /__nuxt_island/${key}.json. If the `key` property within the malicious `__nuxt_island` object contains path traversal sequences (e.g., ../../../../internal/service), the client’s browser will attempt to fetch a resource from a manipulated path, potentially accessing unintended internal application endpoints if the server does not properly sanitize the request.
Platform: Nuxt.js
Version: <3.19.0, <4.1.0
Vulnerability: Path Traversal
Severity: Low

date: 2024-12-19

Prediction: 2024-12-19

What Undercode Say:

Simulating a malicious API response during prerendering
curl -H "Content-Type: application/json" -d '{"__nuxt_island":{"key":"../../../../internal/service","params":{"action":"probe"}}}' http://vulnerable-api.local/endpoint
The resulting client-side fetch attempt
fetch('/__nuxt_island/../../../../internal/service.json')
// Example of a malicious payload serialized in a prerendered page
devalue.stringify({ __nuxt_island: { key: '../../../../internal/service', props: {} } })

How Exploit:

Craft API response with `__nuxt_island` object containing a malicious `key` with path traversal sequences to access unauthorized endpoints on the same domain during client-side navigation.

Protection from this CVE

Update to Nuxt 3.19.0+ or 4.1.0+. The patch enforces key validation using the regex pattern `/^[a-z][a-z\d-]_[a-z\d]+$/i` and a maximum length of 100 characters in revive-payload.server.ts, preventing path traversal.

Impact:

Low severity. Requires specific prerendering conditions and attacker-controlled API data. Leads to client-side requests to unintended internal endpoints but no direct data exfiltration.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top