Nuxt - Open Redirect via Protocol-Relative Paths in reloadNuxtApp | Advisories

Advisories

Nuxt - Open Redirect via Protocol-Relative Paths in reloadNuxtApp

severity: medium
date: 6/22/2026
Affecting: Nuxt >= 4.0.0, < 4.4.7
Nuxt >= 0, < 3.21.7
CVE: CVE-2026-56697
CWE: CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSS: 5.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: GitHub Security Advisory (GHSA-c9cv-mq2m-ppp3)
https://github.com/nuxt/nuxt/commit/e447a793c47766834f7497f8412a76cd56fd8ee1
https://github.com/nuxt/nuxt/commit/6497d99dd106254abd089f6a263d7773869a343b
Credit: alcls01111
Description: Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect users to attacker-controlled hosts, enabling phishing and OAuth authorization-code theft.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo