Common Weakness Enumeration

CWE-288

Allowed

Authentication Bypass Using an Alternate Path or Channel

Abstraction: Base · Status: Incomplete

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

1072 vulnerabilities reference this CWE, most recent first.

GHSA-H5XV-5CPX-PF45

Vulnerability from github – Published: 2025-03-25 15:31 – Updated: 2025-03-25 15:31
VLAI
Details

VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control. A malicious actor with non-administrative privileges on a guest VM may gain ability to perform certain high privilege operations within that VM.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22230"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-25T14:15:28Z",
    "severity": "HIGH"
  },
  "details": "VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control.\u00a0A malicious actor with non-administrative privileges on a guest VM may gain ability to perform certain high privilege operations within that VM.",
  "id": "GHSA-h5xv-5cpx-pf45",
  "modified": "2025-03-25T15:31:29Z",
  "published": "2025-03-25T15:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22230"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25518"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H6QG-7FQ8-GW5H

Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-09-17 15:30
VLAI
Details

This vulnerability affects Firefox < 143 and Thunderbird < 143.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10531"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T13:15:46Z",
    "severity": "MODERATE"
  },
  "details": "This vulnerability affects Firefox \u003c 143 and Thunderbird \u003c 143.",
  "id": "GHSA-h6qg-7fq8-gw5h",
  "modified": "2025-09-17T15:30:28Z",
  "published": "2025-09-16T15:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10531"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1978453"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-73"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-77"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H886-6WVM-63QX

Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-26 00:31
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in kamleshyadav Miraculous Elementor miraculous-el allows Authentication Abuse.This issue affects Miraculous Elementor: from n/a through <= 2.0.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-67998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T16:22:06Z",
    "severity": "HIGH"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in kamleshyadav Miraculous Elementor miraculous-el allows Authentication Abuse.This issue affects Miraculous Elementor: from n/a through \u003c= 2.0.7.",
  "id": "GHSA-h886-6wvm-63qx",
  "modified": "2026-02-26T00:31:23Z",
  "published": "2026-02-20T18:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67998"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/miraculous-el/vulnerability/wordpress-miraculous-elementor-plugin-2-0-7-broken-authentication-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H8MC-VJ52-4VXX

Vulnerability from github – Published: 2025-11-19 00:31 – Updated: 2025-11-19 15:31
VLAI
Details

The Itel DAB MUX (IDMUX build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-63217"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-18T22:15:51Z",
    "severity": "CRITICAL"
  },
  "details": "The Itel DAB MUX (IDMUX build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices.",
  "id": "GHSA-h8mc-vj52-4vxx",
  "modified": "2025-11-19T15:31:38Z",
  "published": "2025-11-19T00:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63217"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63217%20_%20Itel%20DAB%20MUX%20Authentication%20Bypass"
    },
    {
      "type": "WEB",
      "url": "https://www.itel.it"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H8QQ-2M4G-FP6F

Vulnerability from github – Published: 2023-02-27 21:30 – Updated: 2023-03-08 21:30
VLAI
Details

A logic issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.2, iOS 15.7.3 and iPadOS 15.7.3, tvOS 16.3, watchOS 9.3, iOS 16.3 and iPadOS 16.3. An app may be able to bypass Privacy preferences.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23503"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-27T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A logic issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.2, iOS 15.7.3 and iPadOS 15.7.3, tvOS 16.3, watchOS 9.3, iOS 16.3 and iPadOS 16.3. An app may be able to bypass Privacy preferences.",
  "id": "GHSA-h8qq-2m4g-fp6f",
  "modified": "2023-03-08T21:30:23Z",
  "published": "2023-02-27T21:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23503"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213598"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213599"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213601"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213605"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213606"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H8VR-Q495-8MWJ

Vulnerability from github – Published: 2025-05-14 18:30 – Updated: 2025-05-19 15:30
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47710"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-14T17:15:50Z",
    "severity": "HIGH"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.",
  "id": "GHSA-h8vr-q495-8mwj",
  "modified": "2025-05-19T15:30:39Z",
  "published": "2025-05-14T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47710"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-056"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H9X6-QCR3-MF95

Vulnerability from github – Published: 2024-10-25 06:30 – Updated: 2024-10-25 06:30
VLAI
Details

The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9488"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-25T06:15:13Z",
    "severity": "CRITICAL"
  },
  "details": "The Comments \u2013 wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.",
  "id": "GHSA-h9x6-qcr3-mf95",
  "modified": "2024-10-25T06:30:33Z",
  "published": "2024-10-25T06:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9488"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpdiscuz/trunk/forms/wpdFormAttr/Login/SocialLogin.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3164486"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b71706a7-e101-4d50-a2da-1aeeaf07cf4b?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H9XX-632F-3WF6

Vulnerability from github – Published: 2024-12-13 15:30 – Updated: 2026-04-01 18:32
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Projectopia Projectopia allows Authentication Bypass.This issue affects Projectopia: from n/a through 5.1.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54336"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-13T15:15:40Z",
    "severity": "HIGH"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Projectopia Projectopia allows Authentication Bypass.This issue affects Projectopia: from n/a through 5.1.7.",
  "id": "GHSA-h9xx-632f-3wf6",
  "modified": "2026-04-01T18:32:46Z",
  "published": "2024-12-13T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54336"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/projectopia-core/vulnerability/wordpress-projectopia-plugin-5-1-7-account-takeover-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HF6C-FGP3-JFCH

Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2025-04-29 20:25
VLAI
Summary
Drupal Two-factor Authentication (TFA) Vulnerable to Forceful Browsing
Details

Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing. This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.10.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/tfa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-31694"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-02T17:15:20Z",
    "nvd_published_at": "2025-03-31T22:15:22Z",
    "severity": "HIGH"
  },
  "details": "Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing. This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.10.0.",
  "id": "GHSA-hf6c-fgp3-jfch",
  "modified": "2025-04-29T20:25:54Z",
  "published": "2025-04-01T00:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31694"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.drupalcode.org/project/tfa"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Drupal Two-factor Authentication (TFA) Vulnerable to Forceful Browsing"
}

GHSA-HG3F-28RG-4JXJ

Vulnerability from github – Published: 2026-05-29 17:15 – Updated: 2026-07-08 17:35
VLAI
Summary
Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
Details

Summary

When experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run.

For Nuxt applications that gate a .server.vue page behind route middleware as their sole auth check, an unauthenticated attacker could bypass that check by requesting /__nuxt_island/page_<routeName>_<anyhash> directly and receiving the server-rendered HTML.

Affected configurations

All three conditions must hold for an application to be vulnerable:

  1. experimental.componentIslands is enabled (the default in Nuxt 4; opt-in in Nuxt 3).
  2. The application defines one or more .server.vue files under pages/, registering them as routed pages.
  3. Authentication / authorization for at least one such page is enforced solely via route middleware (middleware/*.ts referenced from definePageMeta), without a server-side check inside the page or its data layer.

Applications that enforce auth inside the island's own data layer (server-only API routes, useRequestEvent + manual session checks, etc.) were not affected. The general "route middleware does not run for non-page island components" behaviour is documented and unchanged; this advisory concerns the .server.vue page case specifically, where running middleware is the user's clear expectation.

Details

  • Build (packages/nuxt/src/components/templates.ts): .server.vue pages are registered as island components with page_ prefix, making them addressable through /__nuxt_island/page_<routeName>_<hashId>.
  • Runtime (packages/nitro-server/src/runtime/handlers/island.ts): the handler resolves the requested island component and renders it via renderer.renderToString(ssrContext). The Vue Router plugin previously short-circuited middleware execution whenever ssrContext.islandContext was set.
  • The two paths interact so that route middleware declared on the source page never runs.

Proof of concept

Given a page app/pages/secret.server.vue:

<script setup lang="ts">
definePageMeta({ middleware: 'auth' })
</script>

<template>
<h1>SECRET DATA</h1>
</template>

with middleware/auth.ts blocking unauthenticated access:

# Direct page request: blocked by middleware
curl -i http://localhost:3000/secret
# -> 403 / redirect, depending on the middleware

# Island request: middleware did not run before this fix
curl -i 'http://localhost:3000/__nuxt_island/page_secret_anyhash'
# -> 200 OK, body includes <h1>SECRET DATA</h1>

Patches

Patched in nuxt@4.4.6 and nuxt@3.21.6 by #35092. The Vue Router plugin now runs middleware and redirect handling for page_* islands (i.e. islands that originate from .server.vue files in pages/). The island handler propagates middleware-issued responses (~renderResponse), and a new beforeResolve guard returns HTTP 400 when the requested page_<name> does not match the route component the URL resolves to.

Non-page island components are unaffected - they continue to render without route middleware, by design.

Workarounds

If you cannot upgrade immediately:

  • Enforce authentication inside the .server.vue page itself, not via route middleware. Read the session from useRequestEvent() and throw createError({ statusCode: 401 }) (or redirect) before returning data. This is the recommended pattern for islands regardless of this advisory.
  • Disable experimental.componentIslands if your app does not use the feature.
  • If your app must keep route-middleware-only auth, gate the /__nuxt_island/page_* URL prefix at your reverse proxy or in a server middleware.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.21.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nuxt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.11.0"
            },
            {
              "fixed": "3.21.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.21.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/nitro-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.20.0"
            },
            {
              "fixed": "3.21.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/nitro-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nuxt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-alpha.1"
            },
            {
              "fixed": "4.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T17:15:11Z",
    "nvd_published_at": "2026-06-12T14:16:32Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nWhen `experimental.componentIslands` is enabled (default in Nuxt 4), any `.server.vue` file under `pages/` is automatically registered as a server island under the key `page_\u003crouteName\u003e` and exposed via the `/__nuxt_island/:name` endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including `definePageMeta({ middleware })`) did not run.\n\nFor Nuxt applications that gate a `.server.vue` *page* behind route middleware as their sole auth check, an unauthenticated attacker could bypass that check by requesting `/__nuxt_island/page_\u003crouteName\u003e_\u003canyhash\u003e` directly and receiving the server-rendered HTML.\n\n### Affected configurations\n\nAll three conditions must hold for an application to be vulnerable:\n\n1. `experimental.componentIslands` is enabled (the default in Nuxt 4; opt-in in Nuxt 3).\n2. The application defines one or more `.server.vue` files under `pages/`, registering them as routed pages.\n3. Authentication / authorization for at least one such page is enforced solely via route middleware (`middleware/*.ts` referenced from `definePageMeta`), without a server-side check inside the page or its data layer.\n\nApplications that enforce auth inside the island\u0027s own data layer (server-only API routes, `useRequestEvent` + manual session checks, etc.) were not affected. The general \"route middleware does not run for non-page island *components*\" behaviour is documented and unchanged; this advisory concerns the `.server.vue` *page* case specifically, where running middleware is the user\u0027s clear expectation.\n\n### Details\n\n- Build (`packages/nuxt/src/components/templates.ts`): `.server.vue` pages are registered as island components with `page_` prefix, making them addressable through `/__nuxt_island/page_\u003crouteName\u003e_\u003chashId\u003e`.\n- Runtime (`packages/nitro-server/src/runtime/handlers/island.ts`): the handler resolves the requested island component and renders it via `renderer.renderToString(ssrContext)`. The Vue Router plugin previously short-circuited middleware execution whenever `ssrContext.islandContext` was set.\n- The two paths interact so that route middleware declared on the source page never runs.\n\n### Proof of concept\n\nGiven a page `app/pages/secret.server.vue`:\n\n```vue\n\u003cscript setup lang=\"ts\"\u003e\ndefinePageMeta({ middleware: \u0027auth\u0027 })\n\u003c/script\u003e\n\n\u003ctemplate\u003e\n\u003ch1\u003eSECRET DATA\u003c/h1\u003e\n\u003c/template\u003e\n```\n\nwith `middleware/auth.ts` blocking unauthenticated access:\n\n```bash\n# Direct page request: blocked by middleware\ncurl -i http://localhost:3000/secret\n# -\u003e 403 / redirect, depending on the middleware\n\n# Island request: middleware did not run before this fix\ncurl -i \u0027http://localhost:3000/__nuxt_island/page_secret_anyhash\u0027\n# -\u003e 200 OK, body includes \u003ch1\u003eSECRET DATA\u003c/h1\u003e\n```\n\n### Patches\n\nPatched in `nuxt@4.4.6` and `nuxt@3.21.6` by [#35092](https://github.com/nuxt/nuxt/pull/35092). The Vue Router plugin now runs middleware and redirect handling for `page_*` islands (i.e. islands that originate from `.server.vue` files in `pages/`). The island handler propagates middleware-issued responses (`~renderResponse`), and a new `beforeResolve` guard returns HTTP 400 when the requested `page_\u003cname\u003e` does not match the route component the URL resolves to.\n\nNon-page island components are unaffected - they continue to render without route middleware, by design.\n\n### Workarounds\n\nIf you cannot upgrade immediately:\n\n- Enforce authentication inside the `.server.vue` page itself, not via route middleware. Read the session from `useRequestEvent()` and `throw createError({ statusCode: 401 })` (or redirect) before returning data. This is the recommended pattern for islands regardless of this advisory.\n- Disable `experimental.componentIslands` if your app does not use the feature.\n- If your app must keep route-middleware-only auth, gate the `/__nuxt_island/page_*` URL prefix at your reverse proxy or in a server middleware.",
  "id": "GHSA-hg3f-28rg-4jxj",
  "modified": "2026-07-08T17:35:13Z",
  "published": "2026-05-29T17:15:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-hg3f-28rg-4jxj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47200"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/issues/19772"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/pull/35092"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nuxt/nuxt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nuxt\u0027s route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`"
}

Mitigation
Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.