Dev Server XSS in nuxt/framework


Reported on

Oct 26th 2022


The developer server unsafely renders the stack trace within errors. This can be manipulated by sending a specially crafted request.

Root Cause

The error-dev.vuetemplate, within @nuxt\ui-templates uses the v-html directive to render the stacktrace section of the error.

  <h1 class="..." v-text="statusCode" />
  <p class="..." v-text="description" />
  <div class="...">
    <pre class="..." v-html="stack" />

This would normally not be an issue, however nuxt provides a method for supplying the stacktrace VIA a specially crafted URL.


Navigating to /__nuxt_error?stack=%0A<script>alert("xss!")</script> will produce XSS.

The first line of stack traces is removed, hence the %0A.

Proof of Concept Navigate to the url /__nuxt_error?stack=%0A<script>alert("xss!")</script>


This vulnerability is only possible within dev mode, which limits its impact.

In misconfigured sites (sites deployed on dev mode), this will have the same impact as regular XSS.

In some scenarios, this may still have impact as the site may contain production secrets or give access to confidential information.

Ultimately, this is a fairly minor vulnerability, but it should be patched as it still provides a foothold for further exploitation (and is not documented).

We are processing your report and will contact the nuxt/framework team within 24 hours. a year ago
OhB00 modified the report
a year ago
OhB00 modified the report
a year ago
We have contacted a member of the nuxt/framework team and are waiting to hear back a year ago
We have sent a follow up to the nuxt/framework team. We will try again in 7 days. a year ago
pooya parsa
a year ago


PR landed to prevent directly accessing /__nuxt_error

We have sent a second follow up to the nuxt/framework team. We will try again in 10 days. 10 months ago
10 months ago


Looks fixed to me, can we close this?

We have sent a third and final follow up to the nuxt/framework team. This report is now considered stale. 10 months ago
Daniel Roe validated this vulnerability 9 months ago
OhB00 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Daniel Roe marked this as fixed in v3.0.0-rc.13 with commit 253c8f 9 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Daniel Roe published this vulnerability 9 months ago
to join this conversation