CVE-2025-59414

{"id": "CVE-2025-59414", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.6}]}, "published": "2025-09-17T19:15:47.437", "references": [{"url": "https://github.com/nuxt/nuxt/commit/2566d2046bccb158d98fb13e42ce4b2c33fb2595", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-p6jq-8vc4-79f6", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+."}, {"lang": "es", "value": "Nuxt es un framework de desarrollo web de c\u00f3digo abierto para Vue.js. Antes de las versiones 3.19.0 y 4.1.0, una vulnerabilidad de salto de ruta del lado del cliente en el mecanismo de reactivaci\u00f3n de carga \u00fatil de Nuxt Island permit\u00eda a los atacantes manipular solicitudes del lado del cliente a diferentes puntos finales dentro del mismo dominio de aplicaci\u00f3n cuando se cumplen condiciones espec\u00edficas de prerrenderizado. La vulnerabilidad ocurre en el proceso de reactivaci\u00f3n de carga \u00fatil del lado del cliente (revive-payload.client.ts) donde las Nuxt Islands se obtienen autom\u00e1ticamente al encontrar objetos __nuxt_island serializados. Durante el prerrenderizado, si un punto final de la API devuelve datos controlados por el usuario que contienen un objeto __nuxt_island manipulado, los datos se serializan con devalue.stringify y se almacenan en la p\u00e1gina prerrenderizada. Cuando un cliente navega a la p\u00e1gina prerrenderizada, devalue.parse deserializa la carga \u00fatil. El reactivador de Island intenta obtener /__nuxt_island/${key}.json donde key podr\u00eda contener secuencias de salto de ruta. Actualice a Nuxt 3.19.0+ o 4.1.0+."}], "lastModified": "2025-12-03T18:47:40.983", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A93E3D1-3CAE-47EF-A52F-E77C13FAA56E", "versionEndExcluding": "3.19.0", "versionStartIncluding": "3.6.0"}, {"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "48C5B681-0D99-46B1-A2FB-509870F61BD8", "versionEndExcluding": "4.1.0", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}