Description
Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6.
Published: 2026-06-12
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the way Nuxt’s /__nuxt_island/ endpoint handles request parameters. Instead of binding responses to the supplied props and verifying that the URL’s hash matches the expected component hash, the framework allows any set of props to be supplied. This omission permits an attacker to supply arbitrary props that alter the rendered component, which in turn causes the same cache key to return different responses. The vulnerability’s primary consequence is shared‑cache poisoning, which can compromise the confidentiality and integrity of content delivered to other users who retrieve the same cached response, and it is classified under CWE‑349, CWE‑444, and CWE‑79.

Affected Systems

Nuxt framework, including Nuxt 3.1.0 through 3.21.5 and Nuxt 4.0.0‑alpha.1 through 4.4.5, as well as the @nuxt/nitro-server package from 3.20.0 through 3.21.5 and 4.0.0‑alpha.1 through 4.4.5. The defect is fixed in Nuxt 3.21.6, Nuxt 4.4.6, and the corresponding nitro-server releases.

Risk and Exploitability

The CVSS base score is 2.3, indicating low overall severity, and the EPSS score is less than 1%, suggesting that exploitation is unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog, meaning no widespread, publicly known exploits are documented. Attackers can craft a request to the /__nuxt_island/ endpoint with attacker‑controlled props and a matching hash, causing the server to render a different island component before caching it. If the cache key lacks the props, subsequent users may receive the altered content, leading to a cache poisoning attack. The attack vector is HTTP request manipulation; no privileged access or code execution is required. Given the low likelihood, organizations that heavily rely on shared caching should still consider applying the patch.

Generated by OpenCVE AI on June 12, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nuxt to version 3.21.6 or later, and upgrade @nuxt/nitro-server to the corresponding compatible release.
  • If an immediate upgrade is not possible, block external access to the /__nuxt_island/ endpoint by configuring firewall rules or the web server to deny requests to that path until the patch is applied.
  • Apply server‑side validation that confirms the hash embedded in the URL matches the supplied props for each request, rejecting any request that fails this check, thereby preventing cache poisoning until a patch is in place.

Generated by OpenCVE AI on June 12, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g8wj-3cr3-6w7v Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
History

Fri, 12 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Nuxt
Nuxt nuxt
Vendors & Products Nuxt
Nuxt nuxt

Fri, 12 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6.
Title Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
Weaknesses CWE-349
CWE-444
CWE-79
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Nuxt Nuxt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:54:39.647Z

Reserved: 2026-05-13T18:37:30.990Z

Link: CVE-2026-46342

cve-icon Vulnrichment

Updated: 2026-06-12T14:38:07.488Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T14:16:31.590

Modified: 2026-06-12T16:01:25.477

Link: CVE-2026-46342

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:00:09Z

Weaknesses
  • CWE-349

    Acceptance of Extraneous Untrusted Data With Trusted Data

  • CWE-444

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')