Executive Summary

The vulnerability CVE-2026-46342 affects Nuxt.js, specifically its island components feature. The issue is that the /__nuxt_island/* endpoint accepts attacker-controlled props via query or body parameters but does not validate these props against the URL-resident hash that is supposed to verify their authenticity. This means an attacker can craft requests with manipulated props that cause the server to render island components with mismatched or malicious data.

The root cause is that the hash, which is computed and embedded client-side, is never validated server-side. This allows the same URL path to return different responses depending on the query parameters, potentially poisoning cached island responses.

The vulnerability was fixed by updating the server to recompute and validate the hash based on the actual props, ensuring that only valid requests are accepted and mismatched ones are rejected.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to manipulate the rendered content of island components by injecting attacker-controlled props that are not properly validated. If the island component uses unsafe HTML sinks such as v-html or innerHTML, this can lead to stored cross-site scripting (XSS) attacks.

The impact depends on several conditions: the experimental island feature must be enabled, a shared intermediary cache (like a CDN) must cache responses based only on the path (ignoring query parameters), and the island component must pass props through unsafe HTML sinks.

Without these conditions, the impact is limited to content swapping or inert HTML injection, which is less severe. However, if exploited, it could allow attackers to poison cached responses, potentially affecting many users.

A workaround includes configuring intermediary caches to consider the full query string in their caching keys and auditing island components for unsafe HTML prop usage.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the /__nuxt_island/* endpoint accepting attacker-controlled props without validating the URL-resident hash, which can lead to manipulated island component rendering.

To detect this vulnerability on your system, you can check if your Nuxt.js version is within the affected ranges (3.1.0 to before 3.21.6, 4.0.0-alpha.1 to before 4.4.6, or @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6).

You can also monitor network traffic or logs for requests to the /__nuxt_island/* endpoint that include query or body parameters with props, especially if the hash in the URL does not match the expected hash for those props.

Suggested commands to help detect this vulnerability include:

• Using curl or similar tools to send requests with varying props to the /__nuxt_island/* endpoint and observe if responses differ or if mismatched hashes are accepted.
• Example curl command to test the endpoint:
• curl -v 'https://your-nuxt-app/__nuxt_island/componentName_hashId.json?prop1=value1&prop2=value2'
• Check server logs or application logs for any 400 errors or unusual responses related to island requests.
• Audit caching layers (e.g., CDN) to see if they cache based on path only, which can be a sign of vulnerability exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Nuxt.js and @nuxt/nitro-server to patched versions: 3.21.6 or later, 4.4.6 or later, or 5.0.0 and above.

If immediate upgrade is not possible, you can apply the following workarounds:

• Configure any intermediary caches (such as CDNs) to use the full query string as part of the cache key instead of caching based on path only. This prevents cache poisoning by ensuring different props result in different cached responses.
• Audit your island components to ensure they do not pass props through unsafe HTML sinks like v-html or innerHTML, which could lead to stored cross-site scripting (XSS).
• Ensure that authentication and authorization are handled within the island components themselves, as island components do not run page middleware.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-46342 vulnerability in Nuxt.js can lead to potential stored cross-site scripting (XSS) attacks if certain conditions are met, such as the use of unsafe HTML sinks in island components and caching configurations that do not consider query strings. Such XSS vulnerabilities can result in unauthorized data exposure or manipulation, which may impact compliance with data protection standards like GDPR and HIPAA that require safeguarding personal and sensitive information.

Specifically, if an attacker exploits this vulnerability to inject malicious content, it could lead to breaches of confidentiality and integrity of user data, thereby violating regulatory requirements for data security and privacy.

Mitigations include patching to versions 3.21.6, 4.4.6, or later, validating hashes server-side, configuring intermediary caches to use full query strings, and auditing island components for unsafe HTML usage, all of which help maintain compliance by reducing the risk of data compromise.

Useful 0 Not Useful 0