AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-mm7m-92g8-7m47: Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher

highvulnerability

security

Source: GitHub Advisory DatabaseJune 16, 2026CVE-2026-53721

Summary

Nuxt has a security vulnerability where routeRules (a feature that applies middleware and other settings to URL paths) uses case-sensitive matching, but vue-router (the routing library Nuxt uses) defaults to case-insensitive matching. This mismatch allows attackers to bypass authorization middleware by changing the capitalization of URL paths, for example accessing `/Admin/dashboard` instead of `/admin/dashboard` to skip security checks.

Solution / Mitigation

Update to nuxt@4.4.7 or nuxt@3.21.7, which fix the vulnerability by normalizing path matching to be case-insensitive consistently. If you cannot upgrade immediately, you can work around the issue by: (1) setting `router.options.sensitive = true` to make all route matching case-sensitive, (2) moving security-critical middleware from `routeRules.appMiddleware` to `definePageMeta({ middleware: [...] })` on protected page components, or (3) enforcing authorization at the API or data-fetching layer instead of relying on middleware.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.3%

Patch Available

Yes

Disclosure Date

June 16, 2026

Classification

Attack SophisticationModerate

Affected Packages

nuxt@>= 3.11.0, < 3.21.7 (fixed: 3.21.7)nuxt@>= 4.0.0, < 4.4.7 (fixed: 4.4.7)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-mm7m-92g8-7m47

First tracked: June 16, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%