Nuxt is an open‑source framework for Vue.js. Between versions 3.11.0 and before 3.21.7, and between 4.0.0 and before 4.4.7, the framework allows a route‑rule middleware bypass due to a case‑sensitivity mismatch between vue‑router and the internal routeRules matcher. An attacker who can supply a URL path with altered case can cause the middleware logic to fail, effectively granting the attacker access to content or functionality that should be guarded. This flaw is rooted in improper handling of input case sensitivity (CWE‑178) and missing or weak authorization checks (CWE‑863), and it can lead to unauthorized reading of protected resources. Based on the description, it is inferred that the attacker crafts a URL with altered case to exercise the bypass.

Nuxt framework versions 3.11.0 through 3.21.6 inclusive and 4.0.0 through 4.4.6 inclusive are affected. The vulnerability was patched in versions 3.21.7 and 4.4.7.

The CVSS score of 8.8 categorizes this as a high‑severity vulnerability. The EPSS score of less than 1% indicates a low likelihood of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. An attacker could exploit the issue by crafting a URL with a different case than the defined route, causing the application to bypass middleware checks. The attack requires the ability to access the target application’s URLs, and the potential impact includes unauthorized access to protected content or functionality. Based on the description, it is inferred that the attacker would need to target the application’s public‑facing routes to achieve the bypass.