CVE-2025-27415
Published: 19 March 2025
Summary
CVE-2025-27415 is a high-severity Acceptance of Extraneous Untrusted Data With Trusted Data (CWE-349) vulnerability in Nuxt Nuxt. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 49.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely flaw remediation by patching Nuxt to version 3.16.0 or later, which prevents generation of cacheable JSON responses for crafted requests.
Requires secure configuration of CDN caching to include query strings in cache keys, blocking the poisoning attack even on vulnerable Nuxt versions.
Implements denial-of-service protections at web boundaries to mitigate the high-impact availability disruption from perpetual cache poisoning.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote exploitation of the Nuxt web application to perform a denial of service by crafting HTTP requests (e.g., /?/_payload.json) that poison the CDN cache, causing it to serve invalid JSON responses to legitimate HTML requests and rendering the site unavailable indefinitely.
NVD Description
Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability…
more
of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0.
Deeper analysisAI
CVE-2025-27415 is a cache poisoning vulnerability affecting Nuxt, an open-source web development framework for Vue.js, in versions prior to 3.16.0. The issue arises when a Nuxt server is deployed behind a CDN that ignores query strings when determining cache keys for routes. By sending a crafted HTTP request, such as https://mysite.com/?/_payload.json, an attacker can trigger a JSON response that gets cached by the CDN and inadvertently served to subsequent visitors, disrupting normal site functionality. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data).
Any remote attacker without authentication or user interaction can exploit this vulnerability by crafting and sending the malicious request to a vulnerable Nuxt site behind a susceptible CDN configuration. Successful exploitation poisons the CDN cache, causing the site to serve invalid JSON responses to legitimate users instead of the expected HTML, leading to high-impact denial of service that renders the site unavailable indefinitely. Attackers can exacerbate this by automating requests at intervals matching the CDN's caching duration to perpetually refresh the poisoned cache entry.
The Nuxt security advisory at https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93 details the fix implemented in version 3.16.0, which prevents the crafted requests from generating cacheable JSON responses. Security practitioners should upgrade to Nuxt 3.16.0 or later and review CDN configurations to ensure query strings are properly considered in cache keys.
Details
- CWE(s)