Dev Server XSS in nuxt/framework

Valid

Reported on

Oct 26th 2022


Description

The developer server unsafely renders the stack trace within errors. This can be manipulated by sending a specially crafted request.

Root Cause

The error-dev.vuetemplate, within @nuxt\ui-templates uses the v-html directive to render the stacktrace section of the error.

  <h1 class="..." v-text="statusCode" />
  <p class="..." v-text="description" />
  <div class="...">
    <pre class="..." v-html="stack" />
  </div>

This would normally not be an issue, however nuxt provides a method for supplying the stacktrace VIA a specially crafted URL.

Exploitation

Navigating to /__nuxt_error?stack=%0A<script>alert("xss!")</script> will produce XSS.

The first line of stack traces is removed, hence the %0A.

Proof of Concept

https://stackblitz.com/github/nuxt/framework/tree/main/examples/essentials/hello-world?file=app.vue&theme=dark Navigate to the url /__nuxt_error?stack=%0A<script>alert("xss!")</script>

Impact

This vulnerability is only possible within dev mode, which limits its impact.

In misconfigured sites (sites deployed on dev mode), this will have the same impact as regular XSS.

In some scenarios, this may still have impact as the site may contain production secrets or give access to confidential information.

Ultimately, this is a fairly minor vulnerability, but it should be patched as it still provides a foothold for further exploitation (and is not documented).

We are processing your report and will contact the nuxt/framework team within 24 hours. 2 months ago
OhB00 modified the report
2 months ago
OhB00 modified the report
2 months ago
We have contacted a member of the nuxt/framework team and are waiting to hear back 2 months ago
We have sent a follow up to the nuxt/framework team. We will try again in 7 days. 2 months ago
pooya parsa
2 months ago

Maintainer


PR landed to prevent directly accessing /__nuxt_error https://github.com/nuxt/framework/pull/8673

We have sent a second follow up to the nuxt/framework team. We will try again in 10 days. 2 months ago
OhB00
2 months ago

Researcher


Looks fixed to me, can we close this?

We have sent a third and final follow up to the nuxt/framework team. This report is now considered stale. 2 months ago
Daniel Roe validated this vulnerability a month ago
OhB00 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Daniel Roe marked this as fixed in v3.0.0-rc.13 with commit 253c8f a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Daniel Roe published this vulnerability a month ago
to join this conversation