Nuxt Client-Side Path Traversal Vulnerability in Island Payload Revival

A client-side path traversal vulnerability has been identified in Nuxt versions 3.6.0 prior to 3.19.0 and 4.0.0 prior to 4.1.0. This vulnerability arises in Nuxt's Island payload revival mechanism, where serialized `__nuxt_island` objects can be manipulated to traverse paths and access different endpoints within the same application domain. The issue occurs during the client-side revival process, specifically in the `revive-payload.client.ts` file`,

Impact

Exploitation of this vulnerability could lead to unauthorized access of internal service endpoints via path traversal, potentially allowing for manipulation or retrieval of sensitive data from those endpoints, depending on the application's API structure.

Reproduction

To reproduce this vulnerability, first, ensure that the application is using Nuxt's prerendering feature. During the prerendering process, an API endpoint must be manipulated to return a crafted `__nuxt_island` object containing path traversal sequences. Once the page is prerendered with this data, a client must navigate to the page, triggering the Island reviver to fetch the `__nuxt_island` payload from the server. If the server does not properly handle path traversal, the request will be successful, demonstrating the vulnerability.

Remediation

Users are advised to update Nuxt to version 3.19.0 or later, or to version 4.1.0 or later. Review any prerendered pages that fetch external or user-controlled data. If an immediate update is not possible, consider disabling prerendering for affected pages, implementing strict input validation on relevant API endpoints, or using allowlists for API response structures during prerendering.