Nuxt OG Image Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Nuxt OG Image package, specifically in versions prior to 6.2.5. The issue arises in the image-generation component accessed via the URI '/_og/d/' (or '/og-image/' in older versions'). The vulnerability allows for the injection of arbitrary attributes into the HTML page body, potentially leading to the execution of injected JavaScript code. This exploitation occurs through improper parsing of GET parameters, which are directly inserted into the generated page without adequate sanitization.

Impact

Exploitation of this vulnerability allows for the injection of HTML and JavaScript into the affected page, with the injected script being executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, access the '/_og/d/og.html' endpoint with a crafted query string that includes JavaScript event attributes, such as 'onmouseover', along with other parameters like 'width' and 'height'. The injected attributes will be reflected in the response, executing any included JavaScript code, such as an alert displaying the document's cookies.

Remediation

Users are advised to update to Nuxt OG Image version 6.2.5 or later, where this vulnerability has been patched.