The vulnerability in the Nuxt OG Image module allows an attacker to trigger a denial of service by requesting images with arbitrarily large width and height values. Because the image‑generation component at "/_og/d/" (and older "/og-image/" paths) imposes no limits on these parameters, an attacker can force the server to allocate excessive memory or CPU resources to render the requested image. This leads to resource exhaustion, potentially causing the entire application to become unresponsive. The weakness is identified as CWE‑400 and rated with a CVSS score of 6.9.

This defect applies to all deployments of the nuxt-modules:og-image package before version 6.2.5. Users running any earlier released versions that expose the "/_og/d/" endpoint or the legacy "/og-image/" route are vulnerable. Updating the module to 6.2.5 or later patches the issue.

The CVSS score of 6.9 indicates a medium‑to‑high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Although the official documentation does not detail the attack vector, it is inferred that an unauthenticated user can exploit the flaw by constructively manipulating the width and height URL parameters on the vulnerable endpoint. Successful exploitation requires network access to the application and results in service degradation without compromising data confidentiality or integrity.