Listen to this Post
The vulnerability exists in the client-side payload revival mechanism (revive-payload.client.ts). During prerendering, if an API endpoint returns attacker-controlled data containing a crafted `__nuxt_island` object, it is serialized into the page HTML. Upon client-side navigation, the `devalue.parse` function deserializes this payload. The Nuxt Island reviver then automatically attempts to fetch a JSON payload from the path /__nuxt_island/${key}.json. If the `key` property within the malicious `__nuxt_island` object contains path traversal sequences (e.g., ../../../../internal/service), the client’s browser will attempt to fetch a resource from a manipulated path, potentially accessing unintended internal application endpoints if the server does not properly sanitize the request.
Platform: Nuxt.js
Version: <3.19.0, <4.1.0
Vulnerability: Path Traversal
Severity: Low
date: 2024-12-19
Prediction: 2024-12-19
What Undercode Say:
Simulating a malicious API response during prerendering
curl -H "Content-Type: application/json" -d '{"__nuxt_island":{"key":"../../../../internal/service","params":{"action":"probe"}}}' http://vulnerable-api.local/endpoint
The resulting client-side fetch attempt
fetch('/__nuxt_island/../../../../internal/service.json')
// Example of a malicious payload serialized in a prerendered page
devalue.stringify({ __nuxt_island: { key: '../../../../internal/service', props: {} } })
How Exploit:
Craft API response with `__nuxt_island` object containing a malicious `key` with path traversal sequences to access unauthorized endpoints on the same domain during client-side navigation.
Protection from this CVE
Update to Nuxt 3.19.0+ or 4.1.0+. The patch enforces key validation using the regex pattern `/^[a-z][a-z\d-]_[a-z\d]+$/i` and a maximum length of 100 characters in revive-payload.server.ts, preventing path traversal.
Impact:
Low severity. Requires specific prerendering conditions and attacker-controlled API data. Leads to client-side requests to unintended internal endpoints but no direct data exfiltration.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

