XSS in function navigateTo in nuxt/nuxt


Reported on

Jul 26th 2023


The check for external links checks if the protocol is script:, which is not a valid protocol and allows the user to provide a valid javascript payload using javascript: protocol.

 if (isExternal && parseURL(toPath).protocol === 'script:') {
    throw new Error('Cannot navigate to an URL with script protocol.')

Proof of Concept 1

  <button @click="async ()=>{
    await navigateTo('javascript:alert(document.domain)', {
    external: true,


Allows the injection of javascript code, which could lead to account takeover when cookies are misconfigured. User interaction is required since the user needs to actively click on the submitted link.

We are processing your report and will contact the nuxt team within 24 hours. 2 months ago
We have contacted a member of the nuxt team and are waiting to hear back 2 months ago
nuxt/nuxt maintainer has acknowledged this report 2 months ago
nuxt/nuxt maintainer validated this vulnerability 2 months ago
Edoardo Geraci has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Daniel Roe marked this as fixed in 3.7.0 with commit 2f734d 2 months ago
Daniel Roe has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Aug 14th 2023
router.ts#L139-L142 has been validated
Daniel Roe published this vulnerability a month ago
to join this conversation