CVE-2026-34404
Denial of Service in Nuxt OG Image via Unrestricted Dimensions
Publication date: 2026-03-31
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nuxt | og_image | to 6.2.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Nuxt OG Image component, which generates Open Graph images using Vue templates in Nuxt. Before version 6.2.5, the image-generation endpoint (/ _og/d/ or /og-image/ in older versions) does not restrict the width and height parameters for the generated images.
Because there are no limits on these parameters, an attacker can exploit this to cause a Denial of Service (DoS) by requesting images with extremely large dimensions, potentially overwhelming the system.
This vulnerability was confirmed using the default configuration and templates, and it has been fixed in version 6.2.5.
How can this vulnerability impact me? :
This vulnerability can lead to a Denial of Service (DoS) condition on systems using vulnerable versions of Nuxt OG Image.
An attacker could exploit the lack of restrictions on image dimensions to cause excessive resource consumption, potentially making the service unavailable to legitimate users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Nuxt OG Image to version 6.2.5 or later, where the issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Nuxt OG Image is a Denial of Service (DoS) issue that impacts availability by allowing attackers to exhaust server resources through unrestricted image dimension parameters.
Since the vulnerability does not affect confidentiality or integrity of data, it does not directly lead to breaches of personal data or protected health information.
However, the resulting denial of service could impact the availability of services, which is a component of compliance frameworks like GDPR and HIPAA that require ensuring availability of systems and data.
Organizations relying on affected versions should consider the risk of service disruption as a potential compliance concern related to availability requirements and apply the patch to mitigate this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending HTTP GET requests to the image generation endpoint of the Nuxt OG Image package and observing the server's response and resource usage.
Specifically, you can test the endpoints /_og/d/ (for current versions) or /og-image/ (for older versions) by requesting images with very large width and height parameters, such as 20000x20000 pixels.
If the server consumes excessive memory or CPU resources or becomes unresponsive, it indicates the presence of the vulnerability.
Example command using curl to test the vulnerability:
- curl "http://your-target-domain/_og/d/?width=20000&height=20000"
Monitor the server's resource usage during this request to detect potential Denial of Service conditions caused by uncontrolled resource consumption.