Nuxt.js Security Flaw CVE-2024-34343: navigateTo Function Fails to Block javascript: Protocol

A critical security vulnerability has been disclosed in the popular Nuxt.js web framework, exposing applications to potential cross-site scripting (XSS) attacks. The flaw, tracked as CVE-2024-34343, resides in the framework's `navigateTo` function, which is designed to block the `javascript:` protocol but fails to correctly utilize the security APIs provided by the underlying `unjs/ufo` library. This failure, coupled with parsing discrepancies in the library, creates a direct vector for malicious script injection.

The vulnerability stems from an incomplete implementation of URL sanitization. The `navigateTo` function is a core utility for client-side navigation in Nuxt applications. Its primary security mechanism—blocking dangerous protocols like `javascript:`—is broken, allowing attackers to craft URLs that execute arbitrary JavaScript code in a user's browser context. This bypass undermines a fundamental security control, turning a routine navigation action into a potential exploit. The issue was flagged in a GitHub security advisory (GHSA-vf6r-87q4-2vjf) and is being addressed through dependency updates, with RenovateBot PRs recommending an upgrade from Nuxt v2.15.4 to v3.0.0 or later.

The exposure is significant for any production application using the affected versions of Nuxt.js. Developers must treat this as a high-priority patch, as unmitigated, it grants attackers a straightforward path to steal session cookies, redirect users to malicious sites, or perform actions on behalf of the user. The reliance on automated dependency management tools like RenovateBot highlights the operational pressure to swiftly validate and deploy this major version update, which contains the security fix. Failure to apply the patch leaves web applications and their users persistently at risk.