CVE-2025-27415

Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*

History

03 Dec 2025, 18:44

Type	Values Removed	Values Added
CPE		cpe:2.3:a:nuxt:nuxt::::::::
References	~~() https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93 -~~	() https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93 - Third Party Advisory
First Time		Nuxt Nuxt nuxt

Information

Published : 2025-03-19 19:15

Updated : 2025-12-03 18:44

NVD link : CVE-2025-27415

Mitre link : CVE-2025-27415

CVE.ORG link : CVE-2025-27415

JSON object : View

Products Affected

nuxt

nuxt

CWE

CWE-349

Acceptance of Extraneous Untrusted Data With Trusted Data

{"id": "CVE-2025-27415", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-03-19T19:15:47.257", "references": [{"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93", "tags": ["Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-349"}]}], "descriptions": [{"lang": "en", "value": "Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0."}, {"lang": "es", "value": "Nuxt es un framework de desarrollo web de c\u00f3digo abierto para Vue.js. Antes de la versi\u00f3n 3.16.0, al enviar una solicitud HTTP manipulada a un servidor tras una CDN, era posible, en ciertas circunstancias, contaminar la cach\u00e9 de la CDN, lo que afectaba gravemente la disponibilidad de un sitio. Es posible manipular una solicitud, como https://mysite.com/?/_payload.json, que se renderizar\u00eda como JSON. Si la CDN frente a un sitio Nuxt ignora la cadena de consulta al determinar si se debe almacenar en cach\u00e9 una ruta, esta respuesta JSON podr\u00eda enviarse a futuros visitantes del sitio. Un atacante puede realizar este ataque a un sitio vulnerable para inhabilitarlo indefinidamente. Tambi\u00e9n es posible, si se restablece la cach\u00e9, crear un peque\u00f1o script que env\u00ede una solicitud cada X segundos (= duraci\u00f3n de la cach\u00e9), de modo que la cach\u00e9 se inutilice permanentemente, dejando el sitio completamente indisponible. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 3.16.0."}], "lastModified": "2025-12-03T18:44:15.927", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D5003E3-17E0-4FD0-8449-637E21A366A2", "versionEndExcluding": "3.16.0", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}