AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-c9cv-mq2m-ppp3: Nuxt: URL-handling weaknesses in `navigateTo` and `reloadNuxtApp`: SSR open redirect, client-side script execution via the `open` option, and protocol-relative bypass in `reloadNuxtApp`

mediumvulnerability

security

Source: GitHub Advisory DatabaseJune 16, 2026

Summary

Nuxt has three URL-handling vulnerabilities in its `navigateTo` and `reloadNuxtApp` functions. First, attackers can bypass path checks using obfuscated paths (like `/..//evil.com`) that get normalized to protocol-relative URLs (like `//evil.com`), causing server-side redirects to attacker sites. Second, the `open` option in `navigateTo` doesn't block javascript: URLs, allowing script execution. Third, `reloadNuxtApp` accepts protocol-relative paths that bypass script-blocking checks. All three can lead to phishing, OAuth token theft, or reflected XSS (cross-site scripting, where attackers inject malicious code into a website's response).

Solution / Mitigation

Update to nuxt@4.4.7 or nuxt@3.21.7. Alternatively, the source provides workarounds: (1) validate redirect targets before passing to `navigateTo` by rejecting paths where `new URL(target, 'http://localhost').pathname` starts with `//`, or only accept a known allow-list of paths; (2) for the `open` option, reject any user-controlled URL whose protocol is not in an allow-list (typically just `http:` and `https:`).

Classification

Attack SophisticationModerate

Affected Packages

nuxt@< 3.21.7 (fixed: 3.21.7)nuxt@>= 4.0.0, < 4.4.7 (fixed: 4.4.7)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-c9cv-mq2m-ppp3

First tracked: June 16, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%