CVE-2026-34404
Published: 31 March 2026
Summary
CVE-2026-34404 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Nuxt Og Image. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly implements denial-of-service protections to counter resource exhaustion from unrestricted width and height parameters in image generation requests.
Enforces validation of user-supplied width and height parameters to reject excessive values that trigger high CPU and memory usage.
Mandates timely flaw remediation by patching to Nuxt OG Image version 6.2.5 or later, which introduces restrictions on image dimensions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of the image generation endpoint via crafted requests with excessive width/height parameters, directly causing application resource exhaustion and unresponsiveness as described in T1499.004.
NVD Description
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a Denial of Service (DoS) vulnerability. The issue arises because there is…
more
no restriction on the width and height parameters of the generated image. The vulnerability was reproduced using the standard configuration and the default templates. This issue has been patched in version 6.2.5.
Deeper analysisAI
CVE-2026-34404 is a Denial of Service (DoS) vulnerability in the Nuxt OG Image module, which generates Open Graph images using Vue templates within Nuxt applications. The flaw affects versions prior to 6.2.5 and resides in the image-generation component accessible via the URI /_og/d/ (or /og-image/ in older versions). It stems from a lack of restrictions on the width and height parameters used in image generation, allowing excessive resource consumption. The issue was confirmed reproducible under standard configuration with default templates and is classified under CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The vulnerability can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required. By submitting crafted requests to the affected URI with excessively large width and height values, attackers can trigger high CPU and memory usage during image rendering, leading to server resource exhaustion and potential service disruption.
The GitHub security advisory (GHSA-c7xp-q6q8-hg76) confirms the issue has been patched in Nuxt OG Image version 6.2.5, which introduces restrictions on the width and height parameters to prevent abuse. Security practitioners should upgrade to this version or later and review deployments using the standard configuration.
Details
- CWE(s)