{
  "schema_version": "1.4.0",
  "id": "GHSA-jvhm-gjrh-3h93",
  "modified": "2025-03-20T19:31:04Z",
  "published": "2025-03-19T19:54:25Z",
  "aliases": [
    "CVE-2025-27415"
  ],
  "summary": "Nuxt allows DOS via cache poisoning with payload rendering response",
  "details": "### Summary\n\nBy sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site.\n\nIt is possible to craft a request, such as `https://mysite.com/?/_payload.json` which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site.\n\n### Impact\n\nAn attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable.\n\n\n## Conclusion : \n\nThis is similar to a vulnerability in Next.js that resulted in CVE-2024-46982 (and see [this article](https://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir), in particular the \"Internal URL parameter and pageProps\" part, the latter being very similar to the one concerning us here.)",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nuxt"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.16.0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27415"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nuxt/nuxt"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-349"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-19T19:54:25Z",
    "nvd_published_at": "2025-03-19T19:15:47Z"
  }
}