CVE-2026-34404
Received Received - Intake
Denial of Service in Nuxt OG Image via Unrestricted Dimensions

Publication date: 2026-03-31

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a Denial of Service (DoS) vulnerability. The issue arises because there is no restriction on the width and height parameters of the generated image. The vulnerability was reproduced using the standard configuration and the default templates. This issue has been patched in version 6.2.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34404
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nuxt og_image to 6.2.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Nuxt OG Image component, which generates Open Graph images using Vue templates in Nuxt. Before version 6.2.5, the image-generation endpoint (/ _og/d/ or /og-image/ in older versions) does not restrict the width and height parameters for the generated images.

Because there are no limits on these parameters, an attacker can exploit this to cause a Denial of Service (DoS) by requesting images with extremely large dimensions, potentially overwhelming the system.

This vulnerability was confirmed using the default configuration and templates, and it has been fixed in version 6.2.5.

Impact Analysis

This vulnerability can lead to a Denial of Service (DoS) condition on systems using vulnerable versions of Nuxt OG Image.

An attacker could exploit the lack of restrictions on image dimensions to cause excessive resource consumption, potentially making the service unavailable to legitimate users.

Mitigation Strategies

To mitigate this vulnerability, upgrade Nuxt OG Image to version 6.2.5 or later, where the issue has been patched.

Compliance Impact

The vulnerability in Nuxt OG Image is a Denial of Service (DoS) issue that impacts availability by allowing attackers to exhaust server resources through unrestricted image dimension parameters.

Since the vulnerability does not affect confidentiality or integrity of data, it does not directly lead to breaches of personal data or protected health information.

However, the resulting denial of service could impact the availability of services, which is a component of compliance frameworks like GDPR and HIPAA that require ensuring availability of systems and data.

Organizations relying on affected versions should consider the risk of service disruption as a potential compliance concern related to availability requirements and apply the patch to mitigate this risk.

Detection Guidance

This vulnerability can be detected by sending HTTP GET requests to the image generation endpoint of the Nuxt OG Image package and observing the server's response and resource usage.

Specifically, you can test the endpoints /_og/d/ (for current versions) or /og-image/ (for older versions) by requesting images with very large width and height parameters, such as 20000x20000 pixels.

If the server consumes excessive memory or CPU resources or becomes unresponsive, it indicates the presence of the vulnerability.

Example command using curl to test the vulnerability:

  • curl "http://your-target-domain/_og/d/?width=20000&height=20000"

Monitor the server's resource usage during this request to detect potential Denial of Service conditions caused by uncontrolled resource consumption.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34404. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart