CVE-2026-53721 Overview
CVE-2026-53721 is a route-rule middleware bypass vulnerability in Nuxt, an open-source web development framework for Vue.js. The flaw stems from a case-sensitivity mismatch between vue-router and the routeRules matcher. Attackers can submit requests with mixed-case URL paths to evade route rules that enforce authentication, headers, caching policies, or middleware behavior. The issue affects Nuxt versions 3.11.0 through 3.21.6 and 4.0.0 through 4.4.6. Maintainers patched the issue in versions 3.21.7 and 4.4.7.
Critical Impact
Remote unauthenticated attackers can bypass routeRules middleware by altering the case of URL path segments, exposing protected routes and sensitive data without triggering enforcement logic.
Affected Products
- Nuxt versions 3.11.0 through 3.21.6
- Nuxt versions 4.0.0 through 4.4.6
- Applications relying on routeRules for access control, header injection, or middleware routing
Discovery Timeline
- 2026-06-12 - CVE-2026-53721 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-53721
Vulnerability Analysis
The vulnerability is classified as [CWE-178] Improper Handling of Case Sensitivity. Nuxt's routeRules configuration lets developers attach middleware, security headers, caching, and redirects to specific URL patterns. The internal matcher compared incoming paths against rule patterns using a case-sensitive comparison. However, vue-router resolves routes case-insensitively, so the same URL with different casing resolves to the same component while bypassing the routeRules matcher.
This mismatch allows an attacker to reach the underlying handler through paths like /Admin or /aDmin while routeRules configured for /admin are skipped. Any access control, rate limiting, or header policy attached to routeRules becomes ineffective.
Root Cause
The root cause lives in two locations: packages/nitro-server/src/index.ts and packages/nuxt/src/app/composables/manifest.ts. Both call routeRulesMatcher(path) with the raw request path. Because vue-router lowercases path matching by default, two different normalization strategies coexist in the same request flow. Protected logic relying on routeRules therefore depends on string case rather than route identity.
Attack Vector
Exploitation is network-based, requires no authentication, and requires no user interaction. An attacker crafts an HTTP request with capitalized characters in path segments that correspond to protected routeRules entries. The server routes the request through vue-router to the intended handler while skipping the rule-driven middleware chain.
// Patch in packages/nuxt/src/app/composables/manifest.ts
export function getRouteRules (arg: string | H3Event | { path: string }) {
const path = typeof arg === 'string' ? arg : arg.path
try {
- return routeRulesMatcher(path)
+ return routeRulesMatcher(path.toLowerCase())
} catch (e) {
console.error('[nuxt] Error matching route rules.', e)
return {}
Source: Nuxt commit 07e39cd
// Patch in packages/nitro-server/src/index.ts
return cachedMatchers[key] = `
import { defu } from 'defu'
const matcher = ${matcher}
- export default (path) => defu({}, ...matcher('', path).map(r => r.data).reverse())
+ export default (path) => defu({}, ...matcher('', typeof path === 'string' ? path.toLowerCase() : path).map(r => r.data).reverse())
`
},
})
Source: Nuxt commit 3f3e3fa
The fix lowercases the path string before invoking routeRulesMatcher, mirroring vue-router semantics.
Detection Methods for CVE-2026-53721
Indicators of Compromise
- HTTP requests targeting paths with non-standard capitalization that should be governed by routeRules, such as /Admin, /API/v1/Users, or /Dashboard.
- Application logs showing successful responses for protected endpoints without corresponding middleware log entries.
- Absence of expected security headers (CSP, HSTS, custom auth headers) on responses that should have them enforced via routeRules.
Detection Strategies
- Inspect web server and reverse proxy access logs for mixed-case variants of routes defined in nuxt.config.ts under routeRules.
- Compare request volume for the canonical lowercase path versus capitalized variants to identify probing patterns.
- Deploy a request-normalization audit at the edge that flags any incoming path differing from its lowercased form against a known sensitive route list.
Monitoring Recommendations
- Add alerting for unauthenticated access to handlers expected to be protected by routeRules middleware.
- Track responses missing rule-injected headers for routes that should always include them.
- Correlate path-casing anomalies with downstream actions such as authentication failures, data exports, or privilege checks.
How to Mitigate CVE-2026-53721
Immediate Actions Required
- Upgrade Nuxt to version 3.21.7 for the 3.x branch or 4.4.7 for the 4.x branch.
- Audit nuxt.config.ts for routeRules entries that enforce authentication, headers, or redirects on case-sensitive paths.
- Enforce path normalization at a reverse proxy or CDN layer to lowercase incoming request paths before they reach the Nuxt server.
Patch Information
The Nuxt maintainers released fixes in versions 3.21.7 and 4.4.7. The patches lowercase the request path before invoking routeRulesMatcher, aligning matcher behavior with vue-router. Review the GitHub Security Advisory GHSA-mm7m-92g8-7m47 for full advisory details.
Workarounds
- Add an edge rule in your CDN or reverse proxy that lowercases the path component of incoming URLs before forwarding to Nuxt.
- Add explicit routeRules patterns for known capitalized variants if upgrading is not immediately possible.
- Implement application-level middleware that rejects or redirects requests whose path differs from its lowercased form.
# Upgrade Nuxt to a patched release
npm install nuxt@3.21.7
# or for the 4.x branch
npm install nuxt@4.4.7
# Verify the installed version
npx nuxt info | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
