CVE-2025-59414

Name of the Vulnerable Software and Affected Versions Nuxt versions prior to 3.19.0 Nuxt versions prior to 4.1.0

Description A client-side path traversal vulnerability exists in Nuxt's Island payload revival mechanism. This allows attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process where Nuxt Islands are automatically fetched when encountering serialized nuxt island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted nuxt island object, the data gets serialized and stored in the prerendered page. When a client navigates to the prerendered page, the payload is deserialized, and the Island reviver attempts to fetch / nuxt island/${key}.json, where key could contain path traversal sequences. The vulnerability requires prerendered pages, attacker-controlled API responses, and client-side navigation.

Recommendations Update to Nuxt version 3.19.0 or later. Update to Nuxt version 4.1.0 or later.