CVE-2026-45669: Nuxt Framework XSS Vulnerability

CVE-2026-45669 Overview

CVE-2026-45669 is an HTML injection vulnerability in Nuxt, an open-source web development framework for Vue.js. The flaw exists in the navigateTo() function when called with external: true. Nuxt generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag, but only sanitizes the destination URL by replacing " with %22. The characters <, >, &, and ' remain unencoded. An attacker who controls the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML or JavaScript that executes under the application's origin.

Critical Impact

Attackers can inject HTML and JavaScript that executes in the victim's browser under the application's origin, enabling cross-site scripting and session theft.

Affected Products

• Nuxt versions 3.4.3 through versions before 3.21.6
• Nuxt versions 4.0.0-alpha.1 through versions before 4.4.6
• Applications using navigateTo() with external: true and attacker-influenced URLs

Discovery Timeline

• 2026-06-12 - CVE-2026-45669 published to NVD
• 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-45669

Vulnerability Analysis

The vulnerability is classified under [CWE-83] (Improper Neutralization of Script in Attributes in a Web Page). Nuxt's server-side navigateTo() helper emits an HTML response that performs a client-side redirect using a <meta http-equiv="refresh" content="0; url=…"> tag. The framework constructs this tag by interpolating the destination URL directly into the content attribute.

The sanitization routine only escapes double-quote characters by replacing them with %22. Other HTML-significant characters including <, >, &, and ' pass through unmodified. An attacker who supplies a URL containing > can terminate the meta tag and inject arbitrary subsequent HTML, including <script> blocks or event-handler attributes on injected elements.

Because the response is served from the application's own origin, injected JavaScript executes with full access to cookies, local storage, and any session context bound to that origin.

Root Cause

The root cause is incomplete output encoding when serializing untrusted input into an HTML attribute context. Replacing only " is insufficient for HTML attribute escaping. A correct implementation must encode <, >, &, ', and " as their respective HTML entities, or refuse non-URL inputs entirely before constructing the redirect document.

Attack Vector

Exploitation requires that an attacker influence the URL argument passed to navigateTo(url, { external: true }). Common patterns include redirect endpoints that read a ?redirect= query parameter or pass user-supplied values from forms or cookies. The attacker crafts a payload that closes the content attribute with >, terminates the <meta> tag, and appends arbitrary HTML such as a <script> element. User interaction is required only to the extent that the victim must visit the malicious redirect URL.

No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-fx6j-w5w5-h468 and the fix pull request for technical details.

Detection Methods for CVE-2026-45669

Indicators of Compromise

• Inbound HTTP requests containing URL parameters with <, >, or &# sequences targeting endpoints that perform external redirects
• Server responses containing <meta http-equiv="refresh"> tags with unencoded angle brackets inside the content attribute
• Unexpected <script> elements or event handler attributes appearing in redirect response bodies

Detection Strategies

• Inspect application logs for requests where query parameters destined for redirect handlers contain HTML metacharacters such as <script, onerror=, or '>.
• Audit the codebase for calls to navigateTo(url, { external: true }) where url derives from request input, cookies, or database values without strict allowlist validation.
• Deploy web application firewall rules that block HTML-injection payloads in parameters used by Nuxt redirect routes.

Monitoring Recommendations

• Monitor outbound responses from Nuxt servers for anomalous content in <meta http-equiv="refresh"> tags using response-body inspection.
• Track client-side errors and Content Security Policy violation reports that indicate inline script execution from unexpected sources.
• Alert on dependency manifests (package.json, package-lock.json) referencing Nuxt versions in the vulnerable ranges 3.4.3–3.21.5 and 4.0.0-alpha.1–4.4.5.

How to Mitigate CVE-2026-45669

Immediate Actions Required

• Upgrade Nuxt to version 3.21.6 for the 3.x branch or 4.4.6 for the 4.x branch.
• Audit all uses of navigateTo() with external: true and confirm that the URL argument is either a static literal or a strictly validated value.
• Implement strict allowlist validation for any user-influenced redirect destinations.

Patch Information

The maintainers patched the vulnerability in Nuxt 3.21.6 and 4.4.6. The fix is published in the GitHub Security Advisory GHSA-fx6j-w5w5-h468 and implemented in pull request #35052. Upgrading is the recommended remediation.

Workarounds

• Validate redirect URLs against an allowlist of known-safe destinations before passing them to navigateTo().
• Reject any URL input containing HTML metacharacters (<, >, &, ') prior to invocation.
• Apply a strict Content Security Policy that disallows inline scripts to reduce the impact of HTML injection during the upgrade window.