Description
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a Denial of Service (DoS) vulnerability. The issue arises because there is no restriction on the width and height parameters of the generated image. The vulnerability was reproduced using the standard configuration and the default templates. This issue has been patched in version 6.2.5.
Published: 2026-03-31
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service resulting from unrestricted image dimensions
Action: Apply Patch
AI Analysis

Impact

The vulnerability in Nuxt OG Image allows an attacker to generate overly large images because the width and height inputs are not validated. Sending large values can exhaust memory or disk resources, causing the image generation process to stall or fail and ultimately leading to a Denial of Service against the application. The weakness is a classic input validation flaw, mapped to CWE‑400.

Affected Systems

Products affected are the nuxt‑modules:og‑image package, specifically all releases prior to 6.2.5. The vulnerability exists in the /_og/d/ endpoint and, in earlier minor releases, the /og-image/ endpoint. Users running under Node.js using older versions of this module are at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium to high severity. The low EPSS (<1%) suggests that exploitation has not been widely observed, and it is not listed in the CISA KEV catalog. A remote attacker can trigger the DoS by crafting an HTTP request to the vulnerable endpoint and supplying large width or height parameters, which is feasible without authentication or additional privileges.

Generated by OpenCVE AI on April 9, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update nuxt‑modules:og‑image to version 6.2.5 or later.

Generated by OpenCVE AI on April 9, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c7xp-q6q8-hg76 Nuxt OG Image is vulnerable to Denial of Service via unbounded image dimensions
History

Thu, 09 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Nuxt
Nuxt og Image
CPEs cpe:2.3:a:nuxt:og_image:*:*:*:*:*:node.js:*:*
Vendors & Products Nuxt
Nuxt og Image
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Nuxt-modules
Nuxt-modules og-image
Vendors & Products Nuxt-modules
Nuxt-modules og-image

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a Denial of Service (DoS) vulnerability. The issue arises because there is no restriction on the width and height parameters of the generated image. The vulnerability was reproduced using the standard configuration and the default templates. This issue has been patched in version 6.2.5.
Title Nuxt OG Image vulnerable to DoS via image generation
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Nuxt Og Image
Nuxt-modules Og-image
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T13:37:28.025Z

Reserved: 2026-03-27T13:45:29.620Z

Link: CVE-2026-34404

cve-icon Vulnrichment

Updated: 2026-04-01T13:37:17.140Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T22:16:18.663

Modified: 2026-04-09T19:28:18.997

Link: CVE-2026-34404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:53Z

Weaknesses