Firefox XSS when redirecting to untrusted URL in nuxt/framework

Valid

Reported on

Aug 26th 2022


Description

When redirecting server side using navigateTo with untrusted user data and with external links set to true, XSS can be triggered on Firefox (probably other browsers too). This is due to h3 expecting JSON stringfy to sanitize HTML and nuxt3 also assuming that to be true by using the sendRedirect function.

Proof of Concept

<template>
  <div>
    XSS
  </div>
</template>

<script setup lang="ts">

const r = useRoute();

if (r.query.x) {
  navigateTo(r.query.x as string, { external: true })
}

</script>

Navigate to http://localhost:3000/?x=wss://a?"><script>alert(1)</script>

Issue

The root of the issue can be found within h3

Impact

Access to sensitive data, especially for non static sites.

Impact of XSS can vary depending on features available on website.

We are processing your report and will contact the nuxt/framework team within 24 hours. a month ago
We have contacted a member of the nuxt/framework team and are waiting to hear back a month ago
We have sent a follow up to the nuxt/framework team. We will try again in 7 days. 24 days ago
pooya parsa
24 days ago

Maintainer


Hi and thanks for reporting the issue. I've reviewed it and it is affecting only nuxt-edge (non released version) and seems reproduction only effective on firefox browsers that render page alongside with redirecting.

For context this issue appeared by a new h3 feature that implemented in Nuxt 3:

  • https://github.com/unjs/h3/commit/606de3bb3abeacc44debc164d23677853066a4e0 (affecting h3@0.7.13, 0.7.14, 0.7.15, 0.7.16)
  • https://github.com/nuxt/framework/pull/5022 (affecting only edge release channel)

The issue is resolved with h3 0.7.17 by ensuring always encoding URL before passing to stringify (https://github.com/unjs/h3/commit/01476acb98a248d36544573febb562d2cd5fee09).

Their might be other XSS vulnerabilities. If discovered more, please directly report them for unjs/h3 instead and cheers!

pooya parsa validated this vulnerability 24 days ago
OhB00 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pooya parsa confirmed that a fix has been merged on aece2c 24 days ago
pooya parsa has been awarded the fix bounty
pooya parsa gave praise 24 days ago
Thanks!!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation