CVE-2024-34344: Nuxt vulnerable to remote code execution via the browser when running the test locally
Due to the insufficient validation of the path parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands.
References
- github.com/advisories/GHSA-v784-fjjh-f8r4
- github.com/nuxt/nuxt
- github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/test-component-wrapper.ts
- github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/test-component-wrapper.ts
- github.com/nuxt/nuxt/security/advisories/GHSA-v784-fjjh-f8r4
- nvd.nist.gov/vuln/detail/CVE-2024-34344
Detect and mitigate CVE-2024-34344 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →