VulnerableCode Package Details - pkg:npm/nuxt@3.6.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-bqdh-qhnz-93hk Aliases: CVE-2024-34344 GHSA-v784-fjjh-f8r4	Nuxt vulnerable to remote code execution via the browser when running the test locally Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands.	3.12.4 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-jctz-ddrp-g7gf Aliases: CVE-2025-27415 GHSA-jvhm-gjrh-3h93	Nuxt allows DOS via cache poisoning with payload rendering response By sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as `https://mysite.com/?/_payload.json` which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site.	3.16.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-m6hz-c5kh-dycw Aliases: CVE-2025-59414 GHSA-p6jq-8vc4-79f6	Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met.	3.19.0 Affected by 0 other vulnerabilities. 4.1.0 Affected by 0 other vulnerabilities.
VCID-t4v9-tuw8-tbgv Aliases: CVE-2024-34343 GHSA-vf6r-87q4-2vjf	nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API's provided by `unjs/ufo`. This library also contains parsing discrepancies.	3.12.4 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-bqdh-qhnz-93hk
Aliases:
CVE-2024-34344
GHSA-v784-fjjh-f8r4

Nuxt vulnerable to remote code execution via the browser when running the test locally Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands.

3.12.4
Affected by 2 other vulnerabilities.

VCID-jctz-ddrp-g7gf
Aliases:
CVE-2025-27415
GHSA-jvhm-gjrh-3h93

Nuxt allows DOS via cache poisoning with payload rendering response By sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as `https://mysite.com/?/_payload.json` which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site.

3.16.0
Affected by 1 other vulnerability.

VCID-m6hz-c5kh-dycw
Aliases:
CVE-2025-59414
GHSA-p6jq-8vc4-79f6

Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met.

3.19.0
Affected by 0 other vulnerabilities.

4.1.0
Affected by 0 other vulnerabilities.

VCID-t4v9-tuw8-tbgv
Aliases:
CVE-2024-34343
GHSA-vf6r-87q4-2vjf

nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API's provided by `unjs/ufo`. This library also contains parsing discrepancies.

3.12.4
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-07T20:51:23.958774+00:00	GHSA Importer	Affected by	VCID-m6hz-c5kh-dycw	https://github.com/advisories/GHSA-p6jq-8vc4-79f6	38.6.0
2026-06-06T05:42:36.976402+00:00	GitLab Importer	Affected by	VCID-jctz-ddrp-g7gf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/nuxt/CVE-2025-27415.yml	38.6.0
2026-06-06T05:16:56.304850+00:00	GitLab Importer	Affected by	VCID-bqdh-qhnz-93hk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/nuxt/CVE-2024-34344.yml	38.6.0
2026-06-06T05:16:47.486224+00:00	GitLab Importer	Affected by	VCID-t4v9-tuw8-tbgv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/nuxt/CVE-2024-34343.yml	38.6.0
2026-06-02T04:47:54.260060+00:00	GitLab Importer	Affected by	VCID-m6hz-c5kh-dycw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/nuxt/CVE-2025-59414.yml	38.6.0