Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads like /..//evil.com and /.//evil.com. Attackers can bypass external-host checks using path-normalization techniques to redirect users to attacker-controlled sites via the Location header or meta-refresh, enabling phishing and OAuth authorization-code theft.
PUBLISHED5.2CWE-601
Nuxt - Server-Side Open Redirect via Path-Normalization Bypass in navigateTo
Problem type
Affected products
Nuxt
Nuxt
< 4.4.7 - AFFECTED
4.4.7 - UNAFFECTED
Nuxt
< 3.21.7 - AFFECTED
3.21.7 - UNAFFECTED
References
GitHub Security Advisory (GHSA-c9cv-mq2m-ppp3)
https://github.com/nuxt/nuxt/security/advisories/GHSA-c9cv-mq2m-ppp3
https://github.com/nuxt/nuxt/commit/2cce6fb02e621196d56df92e05594e07469b5a6d
https://github.com/nuxt/nuxt/commit/2cce6fb02e621196d56df92e05594e07469b5a6d
https://github.com/nuxt/nuxt/commit/1f2dd5e78c77576437138e97671965573c232835
https://github.com/nuxt/nuxt/commit/1f2dd5e78c77576437138e97671965573c232835
VulnCheck Advisory: Nuxt - Server-Side Open Redirect via Path-Normalization Bypass in navigateTo
https://www.vulncheck.com/advisories/nuxt-server-side-open-redirect-via-path-normalization-bypass-in-navigateto
GitHub Security Advisories
GHSA-c9cv-mq2m-ppp3
Nuxt: URL-handling weaknesses in `navigateTo` and `reloadNuxtApp`: SSR open redirect, client-side script execution via the `open` option, and protocol-relative bypass in `reloadNuxtApp`
https://github.com/advisories/GHSA-c9cv-mq2m-ppp3Summary
Three weaknesses in Nuxt's client-navigation URL handling, all reachable
from documented public APIs (navigateTo and reloadNuxtApp):
SSR open redirect in
navigateTovia path-normalisation bypass.navigateTodecided whether a target was external by inspecting the raw input withhasProtocol(..., { acceptRelative: true }). Inputs such as/..//evil.com,/.//evil.com,/%2e%2e//evil.com, or/app/..//evil.comslipped past that check because they start with/, but WHATWG URL parsing then normalised them to the protocol-relative pathname//evil.com. The normalised value was written to theLocationresponse header and into the<meta http-equiv="refresh">body of the SSR redirect page, so a victim's browser would resolve the redirect cross-origin to the attacker's host.Client-side script execution via
navigateTo({ open: ... }). The client-side early-open handler calledwindow.open(toPath, ...)without applying theisScriptProtocolcheck that gates the normalnavigateTopath. A target ofjavascript:...(or another script-capable scheme) passed tonavigateTo(url, { open: { ... } })therefore executed in the application's origin instead of being rejected.Open redirect in
reloadNuxtAppvia protocol-relative bypass.reloadNuxtApp({ path })rejects script-capable protocols by parsing the path withnew URL(path, window.location.href)and checking the resolvedprotocolagainstisScriptProtocol. Protocol-relative paths such as//evil.comresolve to the current page's protocol (https:), which passes that check; the value is then assigned towindow.location.href, which the browser treats as a cross-origin redirect. This is the same protocol-relative bypass family as (1), in a different sink.
Impact
For (1), the practical risk is phishing or OAuth-code theft against any
Nuxt app that forwards user-controlled input (for example a ?next=
query parameter on a login route) into navigateTo on the server. The
framework documents that navigateTo blocks external hosts unless
external: true is passed, so maintainers commonly rely on it as the
safe path for post-login redirects.
For (2), any app that passes a user-controlled URL into
navigateTo(url, { open: { ... } }) was vulnerable to reflected XSS in
the application's first-party origin.
For (3), any app that forwards user-controlled input into
reloadNuxtApp({ path }) could be redirected cross-origin for phishing
or OAuth-code theft, even on releases that already shipped the
isScriptProtocol guard added by #35115.
Patches
Fixed in nuxt@4.4.7 and backported to nuxt@3.21.7. The three sinks
are addressed by:
- Path-normalisation bypass in
navigateTo: navigateTo({ open })script-protocol guard:- Protocol-relative bypass in
reloadNuxtApp:
Workarounds
- For (1): validate redirect targets before passing them to
navigateTo, for example reject any input wherenew URL(target, 'http://localhost').pathnamestarts with//, or only accept a known allow-list of paths. - For (2): reject any user-controlled URL whose protocol is not in an
allow-list (typically just
http:andhttps:) before passing it tonavigateTo({ open: ... }). - For (3): same shape as (1). Reject paths starting with
//(or wherenew URL(path, window.location.href).host !== window.location.host) before passing toreloadNuxtApp({ path }).
References
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Credits
Reported by Anthropic / Claude as ANT-2026-S08HN6DH through Anthropic's
coordinated vulnerability disclosure programme.
The reloadNuxtApp protocol-relative bypass (sink 3) was independently
reported by @alcls01111 via GitHub's
coordinated disclosure flow (GHSA-w7fp-2cfv-4837), closed as a
duplicate of this advisory.
github.com
https://github.com/nuxt/nuxt/security/advisories/GHSA-c9cv-mq2m-ppp3
github.com
https://github.com/nuxt/nuxt/pull/35115
github.com
https://github.com/nuxt/nuxt/pull/35206
github.com
https://github.com/nuxt/nuxt/commit/1f2dd5e78c77576437138e97671965573c232835
github.com
https://github.com/nuxt/nuxt/commit/2cce6fb02e621196d56df92e05594e07469b5a6d
github.com
https://github.com/nuxt/nuxt/commit/3394716d4a913cba904b028df5338f2aead50032
github.com
https://github.com/nuxt/nuxt/commit/62fc32eddf648b00a3890141e0235d2a222b024d
github.com
https://github.com/nuxt/nuxt/commit/6497d99dd106254abd089f6a263d7773869a343b
github.com
https://github.com/nuxt/nuxt/commit/e447a793c47766834f7497f8412a76cd56fd8ee1
github.com
https://github.com/advisories/GHSA-c9cv-mq2m-ppp3
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-56326Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-56326",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2026-06-22T21:04:50.975Z",
"dateReserved": "2026-06-20T13:06:29.994Z",
"datePublished": "2026-06-22T21:04:50.975Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2026-06-22T21:04:50.975Z"
},
"datePublic": "2026-06-02T00:00:00.000Z",
"title": "Nuxt - Server-Side Open Redirect via Path-Normalization Bypass in navigateTo",
"descriptions": [
{
"lang": "en",
"value": "Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads like /..//evil.com and /.//evil.com. Attackers can bypass external-host checks using path-normalization techniques to redirect users to attacker-controlled sites via the Location header or meta-refresh, enabling phishing and OAuth authorization-code theft."
}
],
"affected": [
{
"vendor": "Nuxt",
"product": "Nuxt",
"defaultStatus": "unaffected",
"versions": [
{
"version": "4.0.0",
"status": "affected",
"versionType": "semver",
"lessThan": "4.4.7"
},
{
"version": "4.4.7",
"status": "unaffected",
"versionType": "semver"
}
]
},
{
"vendor": "Nuxt",
"product": "Nuxt",
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "semver",
"lessThan": "3.21.7"
},
{
"version": "3.21.7",
"status": "unaffected",
"versionType": "semver"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "URL Redirection to Untrusted Site ('Open Redirect')",
"cweId": "CWE-601",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-c9cv-mq2m-ppp3",
"name": "GitHub Security Advisory (GHSA-c9cv-mq2m-ppp3)",
"tags": [
"vendor-advisory"
]
},
{
"url": "https://github.com/nuxt/nuxt/commit/2cce6fb02e621196d56df92e05594e07469b5a6d",
"name": "https://github.com/nuxt/nuxt/commit/2cce6fb02e621196d56df92e05594e07469b5a6d",
"tags": [
"patch"
]
},
{
"url": "https://github.com/nuxt/nuxt/commit/1f2dd5e78c77576437138e97671965573c232835",
"name": "https://github.com/nuxt/nuxt/commit/1f2dd5e78c77576437138e97671965573c232835",
"tags": [
"patch"
]
},
{
"url": "https://www.vulncheck.com/advisories/nuxt-server-side-open-redirect-via-path-normalization-bypass-in-navigateto",
"name": "VulnCheck Advisory: Nuxt - Server-Side Open Redirect via Path-Normalization Bypass in navigateTo",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS"
},
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM"
}
}
],
"credits": [
{
"lang": "en",
"value": "alcls01111",
"type": "reporter"
}
]
}
}
}