CVE-2025-59414
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-17

Last updated on: 2025-12-03

Assigner: GitHub, Inc.

Description
Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-17
Last Modified
2025-12-03
Generated
2026-05-06
AI Q&A
2025-09-17
EPSS Evaluated
2026-05-05
NVD
CVE-2025-59414
EUVD
EUVD-2025-29762
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nuxt nuxt From 3.6.0 (inc) to 3.19.0 (exc)
nuxt nuxt From 4.0.0 (inc) to 4.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a client-side path traversal issue in Nuxt's Island payload revival mechanism. It allows attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The problem arises during the client-side payload revival process where serialized __nuxt_island objects are automatically fetched. If an API endpoint returns user-controlled data containing a crafted __nuxt_island object, it gets serialized and stored in the prerendered page. When the client navigates to this page, the payload is deserialized and the Island reviver fetches a JSON file using a key that could include path traversal sequences, potentially allowing unauthorized access to different endpoints.


How can this vulnerability impact me? :

This vulnerability can allow attackers to manipulate client-side requests to access different endpoints within the same application domain, potentially leading to unauthorized data exposure or access to unintended resources. However, the CVSS score indicates a low severity (3.1) with low confidentiality impact and no integrity or availability impact, meaning the impact is limited but could still expose some sensitive information.


What immediate steps should I take to mitigate this vulnerability?

Update Nuxt to version 3.19.0 or later, or 4.1.0 or later to mitigate this vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart