Nuxt OG Image Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Nuxt OG Image package, specifically in versions prior to 6.2.5. The issue arises in the image-generation component accessed via the URI '/_og/d/' (or '/og-image/' in older versions'). The vulnerability is due to the absence of restrictions on the width and height parameters of the generated images, allowing for resource exhaustion on the server during image processing. This vulnerability was reproduced using the standard configuration and default templates.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the server's resources are exhausted, causing a slowdown or unresponsiveness.

Reproduction

To reproduce this vulnerability, send a request to the '/_og/d/' endpoint with excessively large width and height parameters. This will cause the server to generate an image with those dimensions, leading to increased processing time and resource consumption. Monitor the server's response and resource usage to confirm the denial-of-service condition.

Remediation

Users are advised to update to Nuxt OG Image version 6.2.5 or later, where this vulnerability has been patched.