Nuxt Security Flaw: navigateTo Function Fails to Block javascript: Protocol (CVE-2024-34343)

A critical security vulnerability has been disclosed in the Nuxt framework, exposing web applications to potential cross-site scripting (XSS) attacks. The flaw, tracked as CVE-2024-34343, resides in the `navigateTo` function, which is designed to block the `javascript:` protocol but fails to correctly utilize the security APIs provided by the underlying `unjs/ufo` library. This failure, coupled with parsing discrepancies within the library, creates a direct path for malicious script injection.

The vulnerability is present in versions prior to the patched release, Nuxt v3.12.4. The issue stems from an incomplete implementation of protocol validation. While the function attempts to sanitize navigation targets, its reliance on a flawed parsing mechanism allows the dangerous `javascript:` protocol to slip through defenses. This is a core function used for client-side routing, making the exposure significant for any application using the affected Nuxt versions for navigation.

The disclosure has triggered immediate action in the developer ecosystem, with automated dependency management tools like RenovateBot generating pull requests to upgrade from vulnerable versions like 2.15.7 to the secure 3.12.4. The presence of this CVE in a major web framework underscores the persistent risk in client-side routing logic and places pressure on development teams to audit and update their dependencies promptly to mitigate the risk of exploitation.