Cyber Resilience

CVE-2025-27415

High

Published: 19 March 2025

Published
19 March 2025
Modified
03 December 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0026 49.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27415 is a high-severity Acceptance of Extraneous Untrusted Data With Trusted Data (CWE-349) vulnerability in Nuxt Nuxt. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 49.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2025-27415 is a cache poisoning vulnerability affecting Nuxt, an open-source web development framework for Vue.js, in versions prior to 3.16.0. The issue arises when a Nuxt server is deployed behind a CDN that ignores query strings when determining cache keys for routes. By sending a crafted HTTP request, such as https://mysite.com/?/_payload.json, an attacker can trigger a JSON response that gets cached by the CDN and inadvertently served to subsequent visitors, disrupting normal site functionality. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data).

Any remote attacker without authentication or user interaction can exploit this vulnerability by crafting and sending the malicious request to a vulnerable Nuxt site behind a susceptible CDN configuration. Successful exploitation poisons the CDN cache, causing the site to serve invalid JSON responses to legitimate users instead of the expected HTML, leading to high-impact denial of service that renders the site unavailable indefinitely. Attackers can exacerbate this by automating requests at intervals matching the CDN's caching duration to perpetually refresh the poisoned cache entry.

The Nuxt security advisory at https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93 details the fix implemented in version 3.16.0, which prevents the crafted requests from generating cacheable JSON responses. Security practitioners should upgrade to Nuxt 3.16.0 or later and review CDN configurations to ensure query strings are properly considered in cache keys.

EU & UK References

Vulnerability details

Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability…

more

of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability enables unauthenticated remote exploitation of the Nuxt web application to perform a denial of service by crafting HTTP requests (e.g., /?/_payload.json) that poison the CDN cache, causing it to serve invalid JSON responses to legitimate HTML requests and rendering the site unavailable indefinitely.

CVEs Like This One

CVE-2026-34404Same vendor: Nuxt
CVE-2026-32162Shared CWE-349
CVE-2026-42960Shared CWE-349
CVE-2026-35641Shared CWE-349

Affected Assets

nuxt
nuxt
3.0.0 — 3.16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely flaw remediation by patching Nuxt to version 3.16.0 or later, which prevents generation of cacheable JSON responses for crafted requests.

prevent

Requires secure configuration of CDN caching to include query strings in cache keys, blocking the poisoning attack even on vulnerable Nuxt versions.

prevent

Implements denial-of-service protections at web boundaries to mitigate the high-impact availability disruption from perpetual cache poisoning.

References