Description

The developer server unsafely renders the stack trace within errors. This can be manipulated by sending a specially crafted request.

Root Cause

The error-dev.vuetemplate, within @nuxt\ui-templates uses the v-html directive to render the stacktrace section of the error.

  <h1 class="..." v-text="statusCode" />
  <p class="..." v-text="description" />
  <div class="...">
    <pre class="..." v-html="stack" />
  </div>

This would normally not be an issue, however nuxt provides a method for supplying the stacktrace VIA a specially crafted URL.

Exploitation

Navigating to /__nuxt_error?stack=%0A<script>alert("xss!")</script> will produce XSS.

The first line of stack traces is removed, hence the %0A.

Proof of Concept

https://stackblitz.com/github/nuxt/framework/tree/main/examples/essentials/hello-world?file=app.vue&theme=dark Navigate to the url /__nuxt_error?stack=%0A<script>alert("xss!")</script>

Impact

This vulnerability is only possible within dev mode, which limits its impact.

In misconfigured sites (sites deployed on dev mode), this will have the same impact as regular XSS.

In some scenarios, this may still have impact as the site may contain production secrets or give access to confidential information.

Ultimately, this is a fairly minor vulnerability, but it should be patched as it still provides a foothold for further exploitation (and is not documented).