CVE-2024-42352

Summary

CVE-2024-42352 is a vulnerability affecting Nuxt, a popular free and open-source framework for creating web applications using Vue.js. The issue lies with the `nuxt/icon` API, which allows client-side icon lookup through an endpoint at `/api/_nuxt_icon/[name]`. Maliciously crafted requests can exploit this vulnerability by improperly parsing the request path, enabling an attacker to change the scheme and host of the request, resulting in a Server-Side Request Forgery (SSRF) attack. The `new URL` constructor, which can parse relatively formatted URLs, is the root cause of this issue. An attacker can exploit this by passing a path prefixed with the string `http:`, changing the scheme to HTTP and subsequently passing a new host, potentially leading to sensitive data exposure. Nuxt has released version 1.4.5 to address this vulnerability, and all users are advised to upgrade as soon as possible. There are currently no known workarounds for this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.