CVE-2026-44589

Name of the Vulnerable Software and Affected Versions nuxt-og-image versions 6.2.5 through 6.4.8 @nuxtjs/og-image versions 6.2.5 through 6.4.8

Description An issue exists in the isBlockedUrl() function where the denylist used to prevent Server-Side Request Forgery (SSRF) is incomplete. This allows attackers to bypass security checks in two ways. First, the IPv6 prefix list is insufficient, failing to block several ranges including IPv6-mapped IPv4 loopback addresses (e.g., [::ffff:7f00:1]), site-local addresses ([fec0::/10]), SRv6 SIDs ([5f00::/16]), IPv6 documentation v2 ([3fff::/20]), and NAT64 local-use addresses ([64:ff9b:1::/48]). Second, the software lacks redirect re-validation; the isBlockedUrl() check is only performed on the initial request, but the subsequent $fetch() operation follows HTTP 3xx redirects without validating the destination. This enables an attacker to use an allowed origin that redirects to an internal IP address to complete an SSRF attack. The vulnerability is triggered when user-influenced URLs are used within OG image components in production builds.

Recommendations Update nuxt-og-image and @nuxtjs/og-image to version 6.4.9. As a temporary workaround, restrict user-influenced input in OG image components to prevent the use of arbitrary URLs.