Nuxt.js Framework Security Alert: CVE-2025-27415 Exposes Sites to CDN Cache Poisoning Attacks

A critical security vulnerability in the popular Nuxt.js framework allows attackers to poison CDN caches, potentially rendering websites completely unavailable. The flaw, tracked as CVE-2025-27415, enables a threat actor to craft a specific HTTP request that forces a server to return a JSON response. If the site uses a Content Delivery Network (CDN) that ignores query strings when caching, this malicious JSON payload can be stored and subsequently served to all future visitors, breaking the site's functionality.

The vulnerability is triggered by sending a request to a path like `https://mysite.com/?/_payload.json`. Under certain configurations, this bypasses normal page rendering and outputs JSON instead. The core risk lies in the interaction between the Nuxt application and its caching layer. This is not a theoretical issue; it represents a direct path for an attacker to target the availability of a live production site, making it a high-impact threat for any organization using a vulnerable version of Nuxt behind a CDN.

The advisory underscores the immediate need for developers and site administrators to update their Nuxt dependencies to the patched version. The security update is included in Nuxt v3.19.0. Failure to patch leaves web applications exposed to a denial-of-service style attack that could take a site offline for all users served by the poisoned cache, highlighting a critical dependency on both framework security and CDN configuration hygiene.