SCA: security update for nuxt (GHSA-p6jq-8vc4-79f6)

low Tenable Self-Hosted Container Security Plugin ID 435349

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path
traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-
side requests to different endpoints within the same application domain when specific prerendering
conditions are met. The vulnerability occurs in the client-side payload revival process (revive-
payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island
objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted
__nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page.
When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island
reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences.
Update to Nuxt 3.19.0+ or 4.1.0+. (CVE-2025-59414)

See Also

https://github.com/advisories/GHSA-p6jq-8vc4-79f6

Plugin Details

Severity: Low

ID: 435349

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 9/18/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 2

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2025-59414

CVSS v3

Risk Factor: Low

Base Score: 3.1

Temporal Score: 2.8

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/17/2025

Vulnerability Publication Date: 9/17/2025

Reference Information

CVE: CVE-2025-59414

cwe: CWE-22