Nuxt Security Flaw CVE-2024-34343: navigateTo Function Fails to Block javascript: Protocol

A critical security vulnerability in the Nuxt framework, tracked as CVE-2024-34343, exposes applications to potential cross-site scripting (XSS) attacks. The flaw resides in the `navigateTo` function, which is designed to block the `javascript:` protocol but fails to correctly utilize the APIs provided by the underlying `unjs/ufo` library. This failure, coupled with parsing discrepancies within the library, creates a direct path for malicious script injection.

The vulnerability is present in versions prior to the major update to Nuxt v3. An automated dependency update pull request highlights the jump from version `^2.15.4` to `^3.0.0` (specifically `3.12.4`), directly citing the GitHub security advisory. The advisory, GHSA-vf6r-87q4-2vjf, confirms the severity of the issue, which stems from an incomplete or incorrect implementation of protocol validation, allowing the dangerous `javascript:` payloads to bypass intended security checks.

This vulnerability places countless web applications built on affected Nuxt versions at immediate risk. Developers and security teams must treat this as a high-priority patch. The automated update signal from RenovateBot underscores the urgency, moving projects not just to a new feature release but to a secure version that addresses this specific security gap. Failure to apply this update leaves application endpoints vulnerable to client-side code execution, a primary vector for data theft and session hijacking.