### Critical Vulnerability Information #### Vulnerability Overview - **Type**: Client-side Path Traversal Vulnerability - **Affected Versions**: >=3.6.0 =4.0.0 =3.19.0 =4.1.0 - **Severity**: Low (CVSS v3 Base Score: 3.1/10) #### Technical Details - **Description**: In Nuxt's Island payload restoration mechanism, attackers can exploit this vulnerability by manipulating client-side requests to different endpoints within the same application domain. - **Process**: 1. During prerendering, an API endpoint returns user-controlled data containing a malicious `_nuxt_island` object. 2. The data is serialized using `devalue.stringify` and stored in the prerendered page. 3. When the client navigates to the prerendered page, `devalue.parse` deserializes the payload. 4. The Island restorer attempts to fetch `/__nuxt_island/s{key}.json`, where `key` may contain path traversal sequences. #### Exploitation Prerequisites - Must use Nuxt's prerendering feature (`nitro.prerender`). - The attacker must be able to control the response content of the API endpoint. - The user must navigate to the prerendered page (not during initial SSR hydration). #### Impact Assessment - **Limited Impact**: Due to highly specific prerequisites, the severity is low. - **No Direct Data Exposure**: The vulnerability does not directly expose sensitive data. - **Client-Side Only**: Requests originate from the client, not the server. #### Mitigation Measures - **Immediate Update**: Upgrade to Nuxt 3.19.0+ or 4.1.0+. - **Review Prerendered Pages**: Audit any prerendered pages that fetch external or user-controlled data. - **Temporary Workarounds**: - Disable prerendering for pages that fetch user-controlled data. - Implement strict input validation on API endpoints used during prerendering. - Use whitelisting for API response structures during prerendering. #### Fix Details - **Fix**: Implemented validation for Island keys in `revive-payload.server.ts`. - Island keys must match the pattern `/^[a-z][a-z\d]*_[a-z\d]+$/i`. - Maximum length is 100 characters. - Prevents path traversal and special characters.