CVE-2026-56697
Analyzed Analyzed - Analysis Complete

Protocol-Relative Path Redirect in Nuxt.js

Vulnerability report for CVE-2026-56697, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-25

Assigner: VulnCheck

Description

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect users to attacker-controlled hosts, enabling phishing and OAuth authorization-code theft.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-25
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nuxt nuxt From 4.0.0 (inc) to 4.4.7 (exc)
nuxt nuxt From 3.0.0 (inc) to 3.21.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7. The reloadNuxtApp function accepts protocol-relative paths such as //evil.com. These paths bypass the script-protocol check but resolve to a cross-origin URL based on the current page's protocol.

Attackers can exploit this by injecting such paths to redirect users to attacker-controlled hosts.

This enables phishing attacks and the theft of OAuth authorization codes.

Impact Analysis

The vulnerability can lead to users being redirected to malicious websites controlled by attackers.

This can facilitate phishing attacks where users may be tricked into revealing sensitive information.

Additionally, attackers can steal OAuth authorization codes, potentially compromising user accounts and access.

Compliance Impact

This vulnerability allows attackers to redirect users to attacker-controlled hosts via open redirect issues in Nuxt's reloadNuxtApp function. Such redirections can be exploited for phishing attacks and theft of OAuth authorization codes.

Phishing attacks and unauthorized access to OAuth tokens can lead to exposure of personal data or unauthorized access to protected resources, which may result in non-compliance with data protection regulations such as GDPR and HIPAA.

Organizations using vulnerable versions of Nuxt could face increased risk of data breaches or unauthorized data access, potentially violating requirements for data security and user consent under these standards.

Mitigation by updating to patched versions is necessary to reduce the risk and maintain compliance with these regulations.

Detection Guidance

This vulnerability involves Nuxt applications accepting protocol-relative paths such as //evil.com in the reloadNuxtApp function, which can lead to open redirects to attacker-controlled hosts.

To detect this vulnerability on your system, you can check the version of Nuxt you are running to see if it is within the vulnerable range (versions 4.0.0 before 4.4.7 and 3.x before 3.21.7).

Additionally, monitoring network traffic for unexpected redirects to external domains using protocol-relative URLs (starting with //) can help identify exploitation attempts.

  • Check Nuxt version via package.json or npm/yarn commands, e.g., `npm list nuxt` or `yarn list nuxt`.
  • Use network monitoring tools (e.g., Wireshark, tcpdump) or browser developer tools to inspect HTTP redirects and look for URLs starting with // that lead to external domains.
  • Search your codebase for usage of reloadNuxtApp function and verify if input paths are sanitized or validated against cross-origin URLs.
Mitigation Strategies

The primary mitigation step is to update Nuxt to a patched version where this vulnerability is fixed, specifically versions 4.4.7 or later for the 4.x branch and 3.21.7 or later for the 3.x branch.

The fix involves enhancing the reloadNuxtApp function to reject protocol-relative paths that resolve to cross-origin URLs by validating the host against the current window's host.

Until you can update, you should implement input validation to reject or sanitize any protocol-relative URLs or paths starting with // that could lead to external hosts.

  • Upgrade Nuxt to version 4.4.7 or later, or 3.21.7 or later.
  • Add validation in your application to reject or sanitize URLs passed to reloadNuxtApp, ensuring they do not start with // or point to external domains.
  • Review and update any custom navigation or redirect logic to prevent open redirects.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56697. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart