{"uuid": "5fe187ab-e4ca-478f-9b40-561b07a9c800", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-m3q2-p4fw-w38m", "type": "seen", "source": "https://gist.github.com/alon710/244419ca59c137ef079d33a9b117602b", "content": "# GHSA-M3Q2-P4FW-W38M: GHSA-M3Q2-P4FW-W38M: Cross-Site Scripting (XSS) via Unsafe innerHTML Assignment in Nuxt  Component\n\n> **CVSS Score:** 2.3\n> **Published:** 2026-06-16\n> **Full Report:** https://cvereports.com/reports/GHSA-M3Q2-P4FW-W38M\n\n## Summary\nA low-severity Cross-Site Scripting (XSS) vulnerability in Nuxt's globally registered  head component allows unauthenticated attackers to execute arbitrary JavaScript. By injecting dynamic, untrusted data into  slots, standard Vue HTML escaping is bypassed because the component processes slot text nodes and assigns them directly to the target element's innerHTML property instead of textContent. In modern browsers with scripting enabled, this raw injection can implicitly close the  tag, triggering script execution.\n\n## TL;DR\nUnsafe innerHTML assignment in Nuxt's  component allows Cross-Site Scripting (XSS) when untrusted dynamic data is interpolated in slots. Historically significant as one of the first zero-days discovered and reported by an AI assistant (Claude).\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-79\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 2.3 (Low)\n- **Exploit Status**: Proof-of-Concept\n- **Affected Component**:  Runtime Component\n- **Discovery Mechanism**: Autonomous AI Discovery (Claude)\n\n## Affected Systems\n\n- Nuxt applications using server-side rendering (SSR)\n- Applications using Nuxt  runtime head component with dynamic slot content\n- **nuxt**: < 3.21.7 (Fixed in: `3.21.7`)\n- **nuxt**: >= 4.0.0, < 4.4.7 (Fixed in: `4.4.7`)\n\n## Mitigation\n\n- Upgrade to Nuxt version 3.21.7 or 4.4.7.\n- Avoid using dynamic user input inside the slots of the  component.\n- Sanitize any dynamic data passed to head components using manual HTML escaping.\n- Programmatically configure noscript tags using the useHead helper.\n\n**Remediation Steps:**\n1. Identify all occurrences of the  component in your Nuxt codebase.\n2. Verify if any of these occurrences interpolate dynamic, user-controlled variables.\n3. If dynamic variables are found, refactor them to use static text or programmatic useHead options.\n4. Update the project dependency lockfile to ensure nuxt is at version 3.21.7 or higher (for Nuxt 3) or 4.4.7 or higher (for Nuxt 4).\n5. Deploy the updated application and verify that output  tags inside the server-rendered HTML have escaped characters.\n\n## References\n\n- [GitHub Advisory for GHSA-M3Q2-P4FW-W38M](https://github.com/advisories/GHSA-m3q2-p4fw-w38m)\n- [Nuxt Security Advisory Page](https://github.com/nuxt/nuxt/security/advisories/GHSA-m3q2-p4fw-w38m)\n- [Duplicate Advisory Reference (GHSA-8grp-wcq9-925q)](https://github.com/advisories/GHSA-8grp-wcq9-925q)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-M3Q2-P4FW-W38M) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-17T00:41:42.000000Z"}