Description
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect users to attacker-controlled hosts, enabling phishing and OAuth authorization-code theft.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nuxt 4 and 3 earlier releases contain a flaw that allows attackers to supply protocol‑relative URLs to the reloadNuxtApp function. Those URLs, such as //evil.com, bypass the script‑protocol validation but resolve to a different origin under the current protocol. When processed, the function redirects the browser, enabling attackers to send end users to attacker‑controlled sites. This can be exploited for phishing or to hijack OAuth authorization codes. The weakness is a typical open‑redirect scenario (CWE‑601).

Affected Systems

The vulnerability affects the Nuxt web framework, specifically versions 4.0.0 through 4.4.6 and 3.x through 3.21.6. Systems running a Nuxt application that rely on the reloadNuxtApp helper and target those version ranges are at risk. The affected codebase is hosted on Node.js environments and would need to be updated accordingly.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and no EPSS score is available, so the likelihood of exploitation cannot be quantified. The issue is not currently listed in CISA’s KEV catalog. Because the redirect occurs client‑side, an attacker can craft a malicious link that a user clicks to trigger the redirect, making phishing a realistic threat vector. Remote users who visit an attacker‑controlled page can be redirected to malicious domains when the target application processes the protocol‑relative URL.

Generated by OpenCVE AI on June 22, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nuxt to a fixed release (≥4.4.7 or ≥3.21.7).
  • Patch any custom code that uses reloadNuxtApp with user‑supplied URLs to ensure they are fully qualified and originate from trusted domains.
  • Audit application deployments for usage of reloadNuxtApp and remove or sanitize any unresolved protocol‑relative paths.

Generated by OpenCVE AI on June 22, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Nuxt nuxt
Vendors & Products Nuxt nuxt

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect users to attacker-controlled hosts, enabling phishing and OAuth authorization-code theft.
Title Nuxt - Open Redirect via Protocol-Relative Paths in reloadNuxtApp
First Time appeared Nuxt
Nuxt og Image
Weaknesses CWE-601
CPEs cpe:2.3:a:nuxt:og_image:*:*:*:*:*:node.js:*:*
Vendors & Products Nuxt
Nuxt og Image
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Nuxt Nuxt Og Image
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T21:04:53.038Z

Reserved: 2026-06-22T17:09:16.556Z

Link: CVE-2026-56697

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T03:00:12Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')