Summary: A newly discovered vulnerability in the Nuxt framework (CVE-2025-27415) could lead to Denial of Service (DoS) attacks by allowing cache poisoning of CDN resources. It affects Nuxt versions 3.0.0 through 3.15.0, making sites potentially unavailable due to corrupted cached responses. The issue stems from how Nuxt handles specific HTTP requests, emphasizing the need for careful review of caching logic in web applications.
Affected: Nuxt versions 3.0.0 to < 3.16.0
Keypoints :
- Vulnerability tracked as CVE-2025-27415 with a CVSS score of 7.5.
- Attackers can poison CDN caches by sending crafted HTTP requests, disrupting site availability.
- Patched in Nuxt version 3.16.0; requires immediate update to prevent potential attacks.
- The vulnerability resembles a previous issue in Next.js, highlighting risks in URL manipulation.
- Over 3.4 million monthly downloads—Nuxt’s popularity makes it a significant target for attackers.