HIGH 7.5

GHSA-jvhm-gjrh-3h93

Nuxt allows DOS via cache poisoning with payload rendering response

Details

### Summary

By sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site.

It is possible to craft a request, such as `https://mysite.com/?/_payload.json` which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site.

### Impact

An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable.

## Conclusion :

This is similar to a vulnerability in Next.js that resulted in CVE-2024-46982 (and see [this article](https://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir), in particular the "Internal URL parameter and pageProps" part, the latter being very similar to the one concerning us here.)

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / nuxt

Introduced in: 3.0.0 Fixed in: 3.16.0

Fix npm install nuxt@3.16.0

References

https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-27415 [ADVISORY]
https://github.com/nuxt/nuxt [PACKAGE]