Description

Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0.

INFO

Published Date :

2025-03-19T19:02:04.824Z

Last Modified :

2025-03-19T19:22:25.732Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-27415 vulnerability.

Vendors Products
Nuxt
  • Nuxt
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-27415.

URL Resource
https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact