Ohb00

**Name of the Vulnerable Software and Affected Versions** Nuxt Devtools versions prior to 1.3.9 **Description** The issue arises from missing authentication on the `getTextAssetContent` RPC function, which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker can interact with a locally running devtools instance and exfiltrate data. In certain configurations, an attacker could leak the devtools authentication token and then abuse other RPC functions to achieve remote code execution (RCE). The `getTextAssetContent` function does not check for path traversals, allowing an attacker to read arbitrary files over the RPC WebSocket. The WebSocket server does not check the origin of the request, leading to cross-site-websocket-hijacking. Nuxt Devtools authentication tokens are placed within the home directory of the current user. A malicious webpage can connect to the Devtools WebSocket, perform a directory traversal brute force to find the authentication token, and then use the authenticated `writeStaticAssets` function to create a new Component, Nitro Handler, or `app.vue` file, which will run automatically as the file is changed. **Recommendations** For versions prior to 1.3.9, upgrade to release version 1.3.9 to address the vulnerability. As a temporary workaround, consider disabling the `getTextAssetContent` function and restricting access to the Devtools WebSocket to minimize the risk of exploitation. Avoid using the `writeStaticAssets` function in the affected API endpoint until the issue is resolved. Restrict access to the vulnerable `app.vue` file to prevent automatic execution of malicious code.

**Name of the Vulnerable Software and Affected Versions** Nuxt versions prior to 3.12.4 **Description** The `navigateTo` function does not correctly use APIs provided by `unjs/ufo`, leading to parsing discrepancies. The function first checks if a URL has a protocol using the `unjs/ufo` package, which works effectively for the `javascript:` protocol. However, the `parseURL` function refuses to parse poorly formatted URLs, and the `isScriptProtocol` function does not perform additional parsing, causing script checks to fail. Whitespace is not stripped in the `parseURL` implementation, bypassing the `isScriptProtocol` checks. Certain special protocols are identified at the top of `parseURL`, and inserting a newline or tab into this sequence can block the special protocol check and bypass latter checks. This issue has an impact after Server-Side Rendering (SSR) has occurred and can lead to Cross-Site Scripting (XSS), access to cookies, and making requests on the user's behalf. **Recommendations** For versions prior to 3.12.4, upgrade to release version 3.12.4 to address this issue. As a temporary workaround, consider using the `URL` constructor provided by the browser for parsing URLs, as it is the safest method. Additionally, making parsing consistent between functions and adapting parsing to be more consistent with the WHATWG URL specification can help mitigate this issue.

**Name of the Vulnerable Software and Affected Versions** Nuxt versions prior to 1.4.5 **Description** The `nuxt/icon` API endpoint, located at `/api/ nuxt icon/[name]`, is vulnerable to improper parsing of the proxied request path, allowing an attacker to change the scheme and host of the request. This leads to Server-Side Request Forgery (SSRF) and could potentially lead to sensitive data exposure. The `new URL` constructor is used to parse the final path and can be manipulated by passing a relative scheme or path, allowing the host of the request to be changed. For example, passing a path prefixed with `http:` can change the scheme to HTTP, and subsequently passing a new host, such as `http:127.0.0.1:8080`, can allow requests to be sent to a local server. **Recommendations** For versions prior to 1.4.5, upgrade to release version 1.4.5 to address this issue. As a temporary workaround, consider disabling the `fallbackToApi` option to mitigate the risk of exploitation. Alternatively, prefixing the path with `./` can also prevent the host from being changed after the path is parsed. Ensure the host has not been changed after the path is parsed to prevent SSRF.

**Name of the Vulnerable Software and Affected Versions** nuxt-api-party versions prior to 0.22.1 **Description** The issue arises from a recent change in the detection of absolute URLs, which is no longer sufficient to prevent Server-Side Request Forgery (SSRF). The regular expression `^https?://` used to check for absolute URLs can be bypassed by an absolute URL with leading whitespace, such as ` https://whatever.com`. According to the fetch specification, before a fetch is made, the URL is normalized by removing any leading and trailing HTTP whitespace bytes. This means the final request will be normalized to `https://whatever.com`, bypassing the check and allowing `nuxt-api-party` to send a request outside of the whitelist. This could allow attackers to leak credentials or perform SSRF. **Recommendations** For versions prior to 0.22.1, upgrade to version 0.22.1 or later. As a temporary workaround for users unable to upgrade, revert to the previous method of detecting absolute URLs by using the condition `if (new URL(path, 'http://localhost').origin !== 'http://localhost')`.

**Name of the Vulnerable Software and Affected Versions** nuxt-api-party versions prior to 0.22.1 **Description** The issue concerns the `nuxt-api-party` module, which allows users to proxy API requests. It lacks a filter on options sent to `ofetch`, enabling the abuse of retry logic to cause a server crash due to a stack overflow. A malicious user can construct a URL that will not fetch successfully, then set the retry attempts to a high value, resulting in a denial of service. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 0.22.1, upgrade to version 0.22.1 or later to resolve the issue. As a temporary workaround for users unable to upgrade, limit the `ofetch` options to minimize the risk of exploitation.