3.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59414

CVE-2025-59414: Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival

Summary

A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met.

Technical Details

The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. The issue affects the following flow:

During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object
This data gets serialized with devalue.stringify and stored in the prerendered page
When a client navigates to the prerendered page, devalue.parse deserializes the payload
The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences

Prerequisites for Exploitation

This vulnerability requires all of the following conditions:

Prerendered pages: The application must use Nuxt's prerendering feature (nitro.prerender)
Attacker-controlled API responses: The attacker must be able to control the response content of an API endpoint that is called during prerendering via useFetch, useAsyncData, or similar composables
Client-side navigation: A user must navigate to the prerendered page (not during initial SSR hydration)

Attack Scenario

// Malicious API response during prerendering
{
  "__nuxt_island": {
    "key": "../../../../internal/service",
    "params": { "action": "probe" }
  }
}

This could cause the client to make requests to /__nuxt_island/../../../../internal/service.json if path traversal is not properly handled by the server.

Impact Assessment

Limited Impact: The vulnerability has a low severity due to the highly specific prerequisites
No Direct Data Exfiltration: The vulnerability does not directly expose sensitive data
Client-Side Only: Requests originate from the client, not the server

Mitigation

Action Required:

Update to Nuxt 3.19.0+ or 4.1.0+ immediately
Review any prerendered pages that fetch external or user-controlled data

Temporary Workarounds (if immediate update is not possible):

Disable prerendering for pages that fetch user-controlled data
Implement strict input validation on API endpoints used during prerendering
Use allowlists for API response structures during prerendering

Fix Details

The fix implemented validation for Island keys in revive-payload.server.ts:

Island keys must match the pattern /^[a-z][a-z\d-]*_[a-z\d]+$/i
Maximum length of 100 characters
Prevents path traversal and special characters

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-59414

CVE-2025-59414:

3.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nuxt	npm	>= 3.6.0, < 3.19.0	3.19.0
nuxt	npm	>= 4.0.0, < 4.1.0	4.1.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a client-side path traversal that is enabled by a lack of validation on the server side during prerendering.

Server-Side Flaw: During the server-side rendering (specifically, prerendering), Nuxt serializes the application state. The plugin defined in packages/nuxt/src/app/plugins/revive-payload.server.ts includes a reducer for 'Island' components. The original code for this reducer (data => data && data?.__nuxt_island) would accept any object with a __nuxt_island property and serialize it without validating its contents. This allows an attacker who can control data returned from an API during prerendering to inject a malicious Nuxt Island object with a path traversal payload in the key field (e.g., { "__nuxt_island": { "key": "../../../../internal/service" } }).
Client-Side Execution: When a user navigates to the prerendered page, the client-side JavaScript kicks in. A function within packages/nuxt/src/app/plugins/revive-payload.client.ts (referred to as the "Island reviver") deserializes the state. When it encounters the malicious __nuxt_island object, it takes the key and attempts to fetch the component's data from /__nuxt_island/${key}.json. Due to the lack of sanitization, the client constructs a URL with the path traversal sequence, like /__nuxt_island/../../../../internal/service.json, and sends a request to this unintended endpoint.
The Fix: The provided patch addresses the vulnerability at the source by fixing the server-side flaw. It introduces a validation function isValidIslandKey and modifies the 'Island' reducer in revive-payload.server.ts to use it (data => data && data?.__nuxt_island && isValidIslandKey(data.__nuxt_island.key) && data.__nuxt_island). This ensures that only valid keys are serialized, preventing the malicious payload from ever reaching the client.

The primary vulnerable function identified from the patch is the anonymous reducer within defineNuxtPlugin in revive-payload.server.ts because it fails to validate input. However, the function that actually performs the path traversal is on the client side, in revive-payload.client.ts. While its exact name is not in the provided data, its role as the "Island reviver" is clear from the vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-59414: Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival

Summary

Technical Details

Prerequisites for Exploitation

Attack Scenario

Impact Assessment

Mitigation

Fix Details

CVE-2025-59414:

3.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

3.1

3.1

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-59414: Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival

Summary

Technical Details

Prerequisites for Exploitation

Attack Scenario

Impact Assessment

Mitigation

Fix Details

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI