Impact
Nuxt versions prior to 4.4.7 and 3.21.7 do not validate script‑capable URLs supplied to the navigateTo open option, permitting attackers to inject javascript: links. When an attacker supplies a client‑controlled URL containing a javascript: scheme, the browser will execute the payload in the context of the application’s origin. This grants the attacker the ability to read and modify data within the web application, leading to theft of sensitive information, session hijacking, or defacement. The weakness is a classic reflected XSS flaw as identified by CWE‑79.
Affected Systems
Nuxt applications using 4.0.0 through 4.4.6, and any 3.x release earlier than 3.21.7, remain vulnerable. The issue affects all Nuxt deployments that rely on navigateTo with the open option if they do not validate the input respectively. The vulnerability does not extend to Nuxt 4.4.7+ or 3.21.7+ where the validation has been implemented, or to projects that have removed the open option from their navigation logic.
Risk and Exploitability
The CVSS score of 5.3 classifies the vulnerability as medium severity, indicating that while exploitation is feasible, it does not provide remote code execution. The EPSS score is not available, so no estimate of current exploitation probability can be provided, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to supply a crafted javascript: URL through the open parameter, typically via a user‑controllable input such as a query string or form field. If the application renders that URL or otherwise trusts it, the payload will run in the victim’s browser, allowing data exfiltration and other malicious actions. The risk is heightened if the application uses navigateTo with open for external links without proper validation.
OpenCVE Enrichment