CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-34343

Medium Severity
Nuxt
SVRS
38/100
CVSSv3
6.1/10
EPSS
0.00056/1

CVE-2024-34343 affects Nuxt web applications, potentially allowing for cross-site scripting (XSS) attacks due to improper URL parsing in the navigateTo function. While the CVSS score is 6.1, the SOCRadar Vulnerability Risk Score (SVRS) is 38, indicating a moderate risk. This vulnerability arises from discrepancies within the unjs/ufo library used by Nuxt, where parsing inconsistencies can bypass protocol checks meant to block javascript: URLs. Specifically, the library's parseURL function fails to properly parse or sanitize certain malformed URLs, leading to script execution. This issue manifests after server-side rendering (SSR) has occurred, potentially exposing users to XSS attacks through crafted location headers. The recommended solution is to upgrade to Nuxt version 3.12.4, which addresses this parsing flaw, and there are no known workarounds. Although not considered critical based on the SVRS, promptly patching remains essential to mitigate potential exploits.

TAGS
No tags available
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:N
UI:R
S:C
C:L
I:L
A:N
PUBLICATION DATE2024-08-05
LAST MODIFIED2024-09-19
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-34343 affects Nuxt, a framework for creating web applications with Vue.js. The vulnerability stems from the navigateTo function's improper use of the unjs/ufo library, leading to parsing discrepancies. This allows attackers to bypass script checks and potentially execute malicious code. The SVRS of 38 indicates a moderate risk, highlighting the need for attention.

Key Insights

  • The vulnerability can be exploited to bypass script checks and execute malicious code.
  • The issue arises due to the navigateTo function's incorrect use of the unjs/ufo library.
  • The vulnerability has been addressed in Nuxt version 3.12.4, and users are advised to upgrade immediately.

Mitigation Strategies

  • Upgrade to Nuxt version 3.12.4 or later.
  • Implement input validation to prevent malicious URLs from being processed.
  • Use a web application firewall (WAF) to block malicious requests.
  • Regularly monitor for suspicious activity and apply security patches promptly.

Additional Information

  • Threat Actors/APT Groups: No specific threat actors or groups have been identified as actively exploiting this vulnerability.
  • Exploit Status: No active exploits have been published.
  • CISA Warnings: The Cybersecurity and Infrastructure Security Agency (CISA) has not issued a warning for this vulnerability.
  • In the Wild: The vulnerability is not known to be actively exploited by hackers.

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

CVE-2024-34343 | Nuxt up to 3.12.3 URL Parser navigateTo cross site scripting (GHSA-vf6r-87q4-2vjf)
vuldb.com2025-03-16
CVE-2024-34343 | Nuxt up to 3.12.3 URL Parser navigateTo cross site scripting (GHSA-vf6r-87q4-2vjf) | A vulnerability was found in Nuxt up to 3.12.3. It has been classified as problematic. Affected is the function navigateTo of the component URL Parser. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2024-34343. It
vuldb.com
rss
forum
news

Social Media

CVE-2024-34343 Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The `navigateTo` function attempts to blockthe `javascript:` … https://t.co/ygru7AU0Ns
0
0
0

Affected Software

Configuration 1
TypeVendorProduct
AppNuxtnuxt

References

ReferenceLink
[email protected]https://github.com/nuxt/nuxt/security/advisories/GHSA-vf6r-87q4-2vjf
GITHUBhttps://github.com/nuxt/nuxt/security/advisories/GHSA-vf6r-87q4-2vjf

CWE Details

CWE IDCWE NameDescription
CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence