You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think there's an open redirect vulnerability in nuxt.js.
As proof of concept you can use (almost) any nuxt based site, just run $nuxt._router.push("///aaa") in the console.
This manifests as httpx://legitdomain.tld///maliciousdomain.tld redirecting to httpx://maliciousdomain.tld in many nuxt.js based websites.
This kind of client side open redirect is almost only useful for phishing.
Imagine users of a bank get phishing mails with very convincing links like
httpx://legit-domain-of-bank-that-uses-nuxt.com///secure-bank-customer-login.ooo
Some users might enter their bank details at httpx://secure-bank-customer-login.ooo which is not the original domain.
I am not familiar with Nuxt that much, but I believe that by default domain///anotherdomain works.
What always seems to work is getting /// into the nuxt router through the websites custom code.
I'm sorry that I have to report this publicly, but I have written 3 mails and didn't get a response for ~8 weeks.
This was previously reported in #9992 and it was resolved upstream in vue-router: vuejs/vue-router#3652 - as of version 3.5.3. For what it's worth, it only applied in limited situations (such as a catchall route, like _.vue).
I think there's an open redirect vulnerability in nuxt.js.
As proof of concept you can use (almost) any nuxt based site, just run $nuxt._router.push("///aaa") in the console.
This manifests as httpx://legitdomain.tld///maliciousdomain.tld redirecting to httpx://maliciousdomain.tld in many nuxt.js based websites.
This kind of client side open redirect is almost only useful for phishing.
Imagine users of a bank get phishing mails with very convincing links like
httpx://legit-domain-of-bank-that-uses-nuxt.com///secure-bank-customer-login.ooo
Some users might enter their bank details at httpx://secure-bank-customer-login.ooo which is not the original domain.
I am not familiar with Nuxt that much, but I believe that by default domain///anotherdomain works.
What always seems to work is getting /// into the nuxt router through the websites custom code.
I'm sorry that I have to report this publicly, but I have written 3 mails and didn't get a response for ~8 weeks.
Steps to reproduce
Visit httpx://legitdomain.tld///maliciousdomain.tld
What is Expected?
Normalization to httpx://legitdomain.tld/maliciousdomain.tld
What is actually happening?
Redirection to //maliciousdomain.tld
The text was updated successfully, but these errors were encountered: