Firefox XSS when redirecting to untrusted URL in nuxt/framework


Reported on

Aug 26th 2022


When redirecting server side using navigateTo with untrusted user data and with external links set to true, XSS can be triggered on Firefox (probably other browsers too). This is due to h3 expecting JSON stringfy to sanitize HTML and nuxt3 also assuming that to be true by using the sendRedirect function.

Proof of Concept


<script setup lang="ts">

const r = useRoute();

if (r.query.x) {
  navigateTo(r.query.x as string, { external: true })


Navigate to http://localhost:3000/?x=wss://a?"><script>alert(1)</script>


The root of the issue can be found within h3


Access to sensitive data, especially for non static sites.

Impact of XSS can vary depending on features available on website.

We are processing your report and will contact the nuxt/framework team within 24 hours. a year ago
We have contacted a member of the nuxt/framework team and are waiting to hear back a year ago
We have sent a follow up to the nuxt/framework team. We will try again in 7 days. a year ago
pooya parsa
a year ago


Hi and thanks for reporting the issue. I've reviewed it and it is affecting only nuxt-edge (non released version) and seems reproduction only effective on firefox browsers that render page alongside with redirecting.

For context this issue appeared by a new h3 feature that implemented in Nuxt 3:

  • (affecting h3@0.7.13, 0.7.14, 0.7.15, 0.7.16)
  • (affecting only edge release channel)

The issue is resolved with h3 0.7.17 by ensuring always encoding URL before passing to stringify (

Their might be other XSS vulnerabilities. If discovered more, please directly report them for unjs/h3 instead and cheers!

pooya parsa validated this vulnerability a year ago
OhB00 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pooya parsa marked this as fixed in - with commit aece2c a year ago
pooya parsa has been awarded the fix bounty
This vulnerability will not receive a CVE
pooya parsa gave praise a year ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation