Platform
nodejs
Component
nuxt
Fixed in
3.6.1
4.0.1
3.19.0
CVE-2025-59414 describes a client-side path traversal vulnerability discovered in Nuxt, a popular Vue.js framework. This flaw allows attackers to manipulate client-side requests, potentially gaining access to unintended endpoints within the same application domain. The vulnerability affects versions 3.18.0 and earlier, and a fix is available in Nuxt 3.19.0.
The path traversal vulnerability resides in Nuxt's Island payload revival mechanism. During prerendering, if an API endpoint returns user-controlled data containing a serialized _nuxtisland object, the vulnerability can be triggered. An attacker could craft malicious data to manipulate the client-side request path, allowing them to access files or resources outside of the intended scope. This could lead to information disclosure, unauthorized access to sensitive data, or even potential code execution depending on the application's configuration and the resources accessible through the traversal. The impact is primarily limited to the client-side and within the same application domain, reducing the overall blast radius.
This vulnerability is not currently listed on KEV or EPSS. The CVSS score of LOW indicates a relatively low probability of exploitation in the wild. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests that it could be exploited relatively easily once a PoC is developed. The CVE was published on 2025-09-17.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59414 is to upgrade to Nuxt version 3.19.0 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing stricter input validation on API endpoints that return serialized _nuxtisland objects to prevent the injection of malicious path components. Additionally, review and harden access controls to sensitive resources to limit the potential impact of a successful traversal. There are no specific WAF rules or detection signatures readily available, so proactive input validation is crucial.
Update Nuxt to version 3.19.0 or higher, or to version 4.1.0 or higher. This fixes the path traversal vulnerability in the Nuxt Islands payload revival mechanism. The update can be performed via npm or yarn.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59414 is a client-side path traversal vulnerability in Nuxt versions 3.18.0 and below, allowing attackers to access unauthorized endpoints.
If you are using Nuxt version 3.18.0 or earlier, you are potentially affected by this vulnerability.
Upgrade to Nuxt version 3.19.0 or later to remediate the vulnerability. Consider input validation as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests it could be exploited once a proof-of-concept is available.
Refer to the official Nuxt security advisory for detailed information and updates: [https://nuxt.com/security/CVE-2025-59414](https://nuxt.com/security/CVE-2025-59414)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.