Dev Server XSS in nuxt/framework
Oct 26th 2022
The developer server unsafely renders the stack trace within errors. This can be manipulated by sending a specially crafted request.
@nuxt\ui-templates uses the v-html directive to render the stacktrace section of the error.
<h1 class="..." v-text="statusCode" /> <p class="..." v-text="description" /> <div class="..."> <pre class="..." v-html="stack" /> </div>
This would normally not be an issue, however nuxt provides a method for supplying the stacktrace VIA a specially crafted URL.
/__nuxt_error?stack=%0A<script>alert("xss!")</script> will produce XSS.
The first line of stack traces is removed, hence the
Proof of Concept
Navigate to the url
This vulnerability is only possible within dev mode, which limits its impact.
In misconfigured sites (sites deployed on dev mode), this will have the same impact as regular XSS.
In some scenarios, this may still have impact as the site may contain production secrets or give access to confidential information.
Ultimately, this is a fairly minor vulnerability, but it should be patched as it still provides a foothold for further exploitation (and is not documented).