Description
Nuxt OG Image generates OG Images with Vue templates in Nuxt. The isBlockedUrl() denylist introduced in nuxt-og-image@6.2.5 to remediate GHSA-pqhr-mp3f-hrpp (Dmitry Prokhorov / Positive Technologies, March 2026) is incomplete. It has an incomplete IPv6 prefix list and is missing redirect re-validation. This vulnerability is fixed in 6.4.9.
Published: 2026-05-14
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nuxt OG Image creates Open Graph images by rendering Vue templates that can fetch external resources. The denylist introduced in version 6.2.5 was meant to stop malicious requests but it does not cover all IPv6 prefixes and it does not re‑validate redirects, allowing an attacker to cause the server to request arbitrary URLs—including internal or private addresses. The weakness is a classic SSRF flaw (CWE‑918). While the CVSS score is low, the potential to exfiltrate internal data or trigger further attacks remains.

Affected Systems

The vulnerability exists in the nuxt-modules:og-image package below version 6.4.9. Users running 6.2.5 or later but prior to 6.4.9 are affected. The fix is available in 6.4.9 and newer. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 3.7 indicates low overall risk, and no EPSS score is published. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to supply a malicious URL to the OG image generator; a successful exploitation could lead to internal host enumeration or traffic interception. The incomplete IPv6 denylist and missing redirect validation make the attack surface larger but still limited to server‑initiated outbound requests.

Generated by OpenCVE AI on May 14, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nuxt-og-image to version 6.4.9 or later
  • If an upgrade is not immediately possible, configure the application to reject all external image URLs or use a stricter denylist that includes all relevant IPv6 ranges and disables redirect following
  • Monitor application logs for unexpected outbound requests to internal resources or redirects

Generated by OpenCVE AI on May 14, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c2rm-g55x-8hr5 nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)
History

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Nuxt-modules
Nuxt-modules og-image
Vendors & Products Nuxt-modules
Nuxt-modules og-image

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Nuxt OG Image generates OG Images with Vue templates in Nuxt. The isBlockedUrl() denylist introduced in nuxt-og-image@6.2.5 to remediate GHSA-pqhr-mp3f-hrpp (Dmitry Prokhorov / Positive Technologies, March 2026) is incomplete. It has an incomplete IPv6 prefix list and is missing redirect re-validation. This vulnerability is fixed in 6.4.9.
Title nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Nuxt-modules Og-image
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:51:03.306Z

Reserved: 2026-05-06T21:49:12.425Z

Link: CVE-2026-44589

cve-icon Vulnrichment

Updated: 2026-05-14T19:42:45.705Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T19:16:38.007

Modified: 2026-05-15T14:44:49.877

Link: CVE-2026-44589

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:45:28Z

Weaknesses