CVE-2024-34344 Overview
CVE-2024-34344 is a code injection vulnerability [CWE-94] in Nuxt, the open-source Vue.js framework for building full-stack web applications. The flaw stems from insufficient validation of the path parameter in the NuxtTestComponentWrapper. Attackers can execute arbitrary JavaScript on the server side, leading to arbitrary command execution. Developers running Nuxt tests locally are exposed when they visit a malicious web page in the same browser session. Because browsers can issue cross-origin requests to arbitrary addresses, a malicious page can repeatedly probe the local test server and trigger remote code execution when the server starts.
Critical Impact
A malicious web page visited by a developer can achieve remote code execution against the local Nuxt test server, compromising the developer workstation.
Affected Products
- Nuxt framework (nuxt:nuxt)
- Local Nuxt test server environments using NuxtTestComponentWrapper
- Developer workstations running Nuxt component tests
Discovery Timeline
- 2024-08-05 - CVE-2024-34344 published to NVD
- 2024-09-19 - Last updated in NVD database
Technical Details for CVE-2024-34344
Vulnerability Analysis
The vulnerability resides in the NuxtTestComponentWrapper, a helper used during local component testing. The path parameter accepted by the wrapper is not sufficiently validated before being passed into server-side execution logic. As a result, an attacker who can deliver a crafted request to the local test server can inject JavaScript that the Node.js process executes. Because the test server runs with the developer's privileges, arbitrary commands run in the developer's local context.
Exploitation does not require authentication or local access to the workstation. Instead, the attacker lures the developer to a malicious web page while the test environment is active. The malicious page issues cross-origin HTTP requests to the local Nuxt test endpoint, supplying an attacker-controlled path value. Once the request reaches the vulnerable wrapper, the injected payload runs server-side. The web page can poll repeatedly, so the exploit fires as soon as the developer starts the test server.
Root Cause
The root cause is improper control of generation of code [CWE-94] in the test component wrapper. User-supplied input flows into a code-evaluation path without sanitization or allow-list enforcement.
Attack Vector
The attack vector is network-based with user interaction. A developer must open a malicious URL in a browser while a vulnerable Nuxt test server is running locally. No authentication is required on the local server, and confidentiality, integrity, and availability are all impacted.
The vulnerability mechanism is described in the GitHub Security Advisory GHSA-v784-fjjh-f8r4. No verified public proof-of-concept code is associated with this CVE at the time of writing.
Detection Methods for CVE-2024-34344
Indicators of Compromise
- Unexpected child processes spawned by the Node.js process hosting the Nuxt test server (for example, shells, curl, wget, or package managers).
- Outbound network connections initiated by the local test server to unfamiliar domains shortly after test startup.
- HTTP requests to local test endpoints containing suspicious path parameter values referencing absolute filesystem paths, URLs, or JavaScript syntax.
- New or modified files in the developer's home directory or project workspace that were not created by the developer.
Detection Strategies
- Inspect web server access logs for requests to Nuxt test routes originating from cross-origin referrers.
- Monitor process lineage on developer endpoints to flag the Node.js test runner spawning interactive shells or system utilities.
- Apply behavioral identification rules on developer workstations to catch script interpreters launching post-exploitation tooling.
Monitoring Recommendations
- Centralize developer workstation telemetry, including process execution and network connections, into a SIEM or data lake for retrospective hunting.
- Track installed Nuxt versions across engineering inventories and alert on versions below the patched release.
- Alert on browsers communicating with localhost test ports across non-development origins.
How to Mitigate CVE-2024-34344
Immediate Actions Required
- Upgrade Nuxt to a version that includes the fix referenced in GHSA-v784-fjjh-f8r4.
- Stop running Nuxt component tests on workstations that also browse untrusted web content.
- Audit developer endpoints for signs of exploitation, including unexpected processes and outbound connections from Node.js.
Patch Information
The Nuxt maintainers addressed the issue through validation of the path parameter in the NuxtTestComponentWrapper. Refer to the Nuxt GitHub Security Advisory for the fixed version and patch commit details. Update the nuxt dependency in package.json and rebuild the project.
Workarounds
- Bind the Nuxt test server to a non-default loopback interface or randomized port to reduce predictability for cross-origin attackers.
- Use a dedicated browser profile or isolated browser for development that does not visit untrusted sites while tests run.
- Restrict outbound network access from the developer machine while the test server is running using host firewall rules.
# Configuration example: upgrade Nuxt to the patched release
npm install nuxt@latest
# Verify the installed version
npm ls nuxt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
