Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2023-3224

CVE-2023-3224: Nuxt Nuxt RCE Vulnerability

CVE-2023-3224 is a remote code execution flaw in Nuxt Nuxt that allows attackers to inject malicious code. This post covers the technical details, affected versions prior to 3.5.3, security impact, and mitigation steps.

Published:

CVE-2023-3224 Overview

CVE-2023-3224 is a code injection vulnerability affecting the Nuxt framework, a popular Vue.js-based web application framework. This vulnerability exists in versions prior to 3.5.3 and allows unauthenticated attackers to execute arbitrary code through the framework's test component renderer endpoint. The vulnerability stems from improper access controls on development-time server-side rendering functionality that was inadvertently exposed in production environments.

Critical Impact

Unauthenticated remote attackers can achieve full server compromise through code injection, potentially leading to complete system takeover, data exfiltration, and lateral movement within affected infrastructure.

Affected Products

  • Nuxt framework versions prior to 3.5.3
  • Applications built with vulnerable Nuxt versions in development mode
  • Server-side rendered (SSR) Nuxt applications with exposed test endpoints

Discovery Timeline

  • June 13, 2023 - CVE-2023-3224 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2023-3224

Vulnerability Analysis

This code injection vulnerability exists within Nuxt's server-side rendering component test functionality. The vulnerable code path is located in the nuxt-root.vue component, which handles a special URL endpoint (/__nuxt_component_test__/) designed for component testing during development. The critical flaw is that this endpoint was accessible whenever the application ran in development mode (process.dev), regardless of whether it was actually in a test environment.

The vulnerability allows attackers to craft malicious requests to the /__nuxt_component_test__/ endpoint, which dynamically imports and renders components. By manipulating the URL, attackers can potentially inject and execute arbitrary code on the server, as the component wrapper processes the URL path without proper validation or access restrictions.

Root Cause

The root cause lies in insufficient access control logic within the SingleRenderer component initialization. The original code checked only for process.dev and process.server conditions before enabling the test component wrapper functionality. This meant any development-mode deployment with SSR enabled would expose this dangerous endpoint.

The fix introduces an additional process.test condition, ensuring that the vulnerable code path is only accessible when the application is explicitly running in a test environment. Additionally, the patch exports devRootDir to further restrict access to components within the application's root directory.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending crafted HTTP requests to the /__nuxt_component_test__/ endpoint on a vulnerable Nuxt application running in development mode. The endpoint's dynamic import functionality can be abused to execute arbitrary code on the server.

text
// Vulnerable code (before patch):
const SingleRenderer = process.dev && process.server && url.startsWith('/__nuxt_component_test__/') && defineAsyncComponent(() => import('#build/test-component-wrapper.mjs')
  .then(r => r.default(process.server ? url : window.location.href)))

// Patched code (after fix):
const SingleRenderer = process.test && process.dev && process.server && url.startsWith('/__nuxt_component_test__/') && /* #__PURE__ */ defineAsyncComponent(() => import('#build/test-component-wrapper.mjs')
  .then(r => r.default(process.server ? url : window.location.href)))

Source: GitHub Commit Details

Detection Methods for CVE-2023-3224

Indicators of Compromise

  • HTTP requests containing /__nuxt_component_test__/ in the URL path targeting your Nuxt applications
  • Unexpected server-side code execution or process spawning on Nuxt application servers
  • Anomalous import or require statements in server logs referencing the test component wrapper
  • Unusual outbound network connections from Nuxt application server processes

Detection Strategies

  • Monitor web server access logs for requests to /__nuxt_component_test__/ endpoints
  • Implement Web Application Firewall (WAF) rules to block requests containing the test endpoint path
  • Deploy runtime application self-protection (RASP) solutions to detect dynamic code execution attempts
  • Review Nuxt application configurations to ensure development mode is not enabled in production

Monitoring Recommendations

  • Configure alerting on any access attempts to /__nuxt_component_test__/ URLs in production environments
  • Implement application-level logging to track dynamic component imports and SSR rendering activities
  • Monitor process execution and file system activities on Nuxt application servers for signs of compromise
  • Establish baseline behavior for Nuxt applications and alert on deviations indicating potential exploitation

How to Mitigate CVE-2023-3224

Immediate Actions Required

  • Upgrade Nuxt framework to version 3.5.3 or later immediately
  • Ensure production deployments are not running in development mode (process.dev should be false)
  • Block requests to /__nuxt_component_test__/ at the network or WAF level as an interim measure
  • Audit existing Nuxt applications to identify any running vulnerable versions

Patch Information

The vulnerability has been addressed in Nuxt version 3.5.3. The fix adds an additional process.test condition to ensure the test component wrapper is only accessible during actual test runs. Organizations should upgrade to version 3.5.3 or later by updating the nuxt package in their package.json and running their package manager's update command. The security patch is available through the official GitHub commit.

Workarounds

  • Configure reverse proxy or WAF rules to block all requests containing /__nuxt_component_test__/ in the path
  • Ensure NODE_ENV is set to production on all production deployments to disable development features
  • Implement network segmentation to limit exposure of development-mode applications
  • Use containerization with read-only file systems to limit the impact of potential code execution
bash
# Configuration example - Block vulnerable endpoint in nginx
location ~* /__nuxt_component_test__ {
    deny all;
    return 403;
}

# Ensure production mode in deployment
export NODE_ENV=production

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne