A recently uncovered vulnerability in the widely used Nuxt framework could open the door for attackers to poison CDN caches, leading to broken or inaccessible full-stack Vue.js applications.
Tracked as CVE-2025-27415 with a CVSS score of 7.5, this flaw affects all Nuxt versions from 3.0.0 up to (but not including) 3.16.0. The issue stems from how Nuxt processes certain specially crafted HTTP requests, particularly those targeting endpoints like: https://yoursite.com/?/_payload.json
Therefore, if a Content Delivery Network (CDN) is not properly handling query strings when caching, an attacker can trick the CDN into storing a malformed JSON response. As a result, all users might receive this corrupted content, effectively breaking the site or rendering it completely offline. Worse still, attackers could automate this process by repeatedly poisoning the cache, causing persistent Denial of Service (DoS) conditions.
Given that Nuxt powers millions of applications and sees over 3.4 million downloads per month, this vulnerability has serious implications for the Vue.js community.
| Recommendations |
- Upgrade Immediately: Developers using Nuxt 3.0.0 to 3.15.x should upgrade to Nuxt 3.16.0 or later, which contains the official patch.
- Audit CDN Configuration: Ensure your CDN is configured to respect query strings when caching responses to prevent similar attack vectors.
- Monitor Application Availability: Keep an eye on unusual site downtime or degraded performance which could indicate cache poisoning attempts.
- Review Security Headers: Implement proper security headers (e.g., Cache-Control, Vary) to control how caching is handled.
- Stay Updated: Regularly follow Nuxt’s official releases and security advisories to keep your application secure.
| References |