Rmtsixq

**Name of the Vulnerable Software and Affected Versions** Nuxt versions 3.11.0 through 3.21.5 Nuxt versions 4.0.0-alpha.1 through 4.4.5 @nuxt/nitro-server versions 3.20.0 through 3.21.5 @nuxt/nitro-server versions 4.0.0-alpha.1 through 4.4.5 **Description** When `experimental.componentIslands` is enabled, any `.server.vue` file located under `pages/` is automatically registered as a server island and exposed via the '/ nuxt island/:name' endpoint. Requests made to this endpoint render the page component directly through the SSR (Server-Side Rendering) renderer without instantiating Vue Router. Consequently, route middleware declared on the page, such as those defined via `definePageMeta({ middleware })`, is not executed. This allows unauthenticated attackers to bypass authentication checks that rely solely on route middleware by requesting the island endpoint directly to receive server-rendered HTML. **Recommendations** Update Nuxt to version 3.21.6 or 4.4.6. Update @nuxt/nitro-server to version 3.21.6 or 4.4.6. As a temporary workaround, enforce authentication inside the `.server.vue` page by reading the session from `useRequestEvent()` and throwing an error or redirecting before returning data. Disable `experimental.componentIslands` if the feature is not required. Restrict access to the '/ nuxt island/page *' URL prefix using a reverse proxy or server middleware.