The vulnerability arises from improper validation of path-normalized payloads within the Nuxt navigateTo function, allowing attackers to craft URLs such as "/..//evil.com" or "/.//evil.com" that bypass external-host checks. This flaw can cause the application to respond with a Location header or meta-refresh redirecting users to attacker-controlled sites. The primary impact is the facilitation of phishing attacks and potential OAuth authorization-code theft, as users may unknowingly grant access to malicious actors. The weakness is identified as CWE-601: Open Redirect.

Nuxt versions prior to 4.4.7 (4.x) and those earlier than 3.21.7 (3.x) are affected. Users running any Nuxt project that incorporates the navigateTo API in a server-side context fall within the attack surface. The exact version granularity is limited to the major lines mentioned in the advisory; specific patch numbers must be checked against the project's dependencies.

The CVSS base score of 5.3 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread public exploits yet. Exploitation is likely via an HTTP request to a vulnerable Nuxt endpoint that triggers the navigateTo logic. An attacker must be able to send crafted requests to the application, which may be exposed to the internet or internal networks. Given the lack of known active attacks and the moderate score, the immediate risk is moderate, but the potential for phishing or credential theft warrants timely remediation.