CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-g8wj-3cr3-6w7v: Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning

lowCVSS 5.4CVE-2026-46342
Summary The /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. Island components are documented as rendering independently of route context - page middleware does not apply to them, and they are intentionally cacheable as a function of their props. This advisory does not treat that contract as a vulnerability. It treats the absence of a binding between the URL the cache keys on and the response served at that URL as one. Impact In applications where a CDN or reverse-proxy in front of the app caches /__nuxt_island/* keyed by path only (ignoring query) - a documented misconfiguration class, see GHSA-jvhm-gjrh-3h93 - an attacker can prime the cache for a path with their own choice of props, and subsequent users requesting the same path receive the attacker's rendered HTML rather than the response intended for them. The cache entry persists until normal expiry. Where the affected island has any prop flowing into an unsafe HTML sink in application code (v-html, innerHTML, a third-party renderer treating a prop as HTML), this becomes stored XSS in the embedding page's origin until the cache entry expires. HttpOnly cookies remain out of reach but anything else in the origin (other cookies, in-origin requests, DOM state) is reachable by the injected script. Preconditions: - experimental.componentIslands enabled (or the default 'auto' with at least one server / island component in the app). - A shared intermediary cache (CDN, reverse-proxy, edge cache) keyed on path only. - For the XSS pivot specifically: an application-authored island that puts a prop through an unsafe HTML sink. Without the second precondition, the response

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
low — CVSS 5.4
Published
2026-05-19
Last updated
2026-07-08
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-g8wj-3cr3-6w7v

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-46342coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories