HomePentest-Tools.com Logo

Nuxt Framework - Remote Code Execution (CVE-2023-3224)

Severity
CVSSv3 Score
9.8
Vulnerability description

Nuxt Framework is affected by a Remote Code Execution vulnerability inside the nuxt-root.vue component. The root cause of this vulnerability is improper sanitization of user-provided input in the URL by accessing /__nuxt_component_test__/ endpoint. This allows an unauthenticated malicious attacker to execute commands on the Node.js server.

Risk description

The risk exists that a remote unauthenticated attacker can fully compromise the Node.js server in order to steal confidential information, install ransomware or pivot to the internal network.

Exploit capabilities

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

Recommendation

Update the Nuxt Framework to one of the currently fixed versions: 3.5.4.

Codename
Not available
Detectable with
Network Scanner
Exploitable with Sniper
Yes
Vuln date
Jun 2023
Published at
Updated at
Software Type
Web Framework
Vendor
Nuxt
Product
Nuxt