CVE-2024-34343

Name of the Vulnerable Software and Affected Versions Nuxt versions prior to 3.12.4

Description The navigateTo function does not correctly use APIs provided by unjs/ufo, leading to parsing discrepancies. The function first checks if a URL has a protocol using the unjs/ufo package, which works effectively for the javascript: protocol. However, the parseURL function refuses to parse poorly formatted URLs, and the isScriptProtocol function does not perform additional parsing, causing script checks to fail. Whitespace is not stripped in the parseURL implementation, bypassing the isScriptProtocol checks. Certain special protocols are identified at the top of parseURL, and inserting a newline or tab into this sequence can block the special protocol check and bypass latter checks. This issue has an impact after Server-Side Rendering (SSR) has occurred and can lead to Cross-Site Scripting (XSS), access to cookies, and making requests on the user's behalf.

Recommendations For versions prior to 3.12.4, upgrade to release version 3.12.4 to address this issue. As a temporary workaround, consider using the URL constructor provided by the browser for parsing URLs, as it is the safest method. Additionally, making parsing consistent between functions and adapting parsing to be more consistent with the WHATWG URL specification can help mitigate this issue.