CVE-2025-27415
📋 TL;DR
This vulnerability allows attackers to poison CDN caches by sending crafted HTTP requests to Nuxt applications, causing JSON responses to be served to legitimate users instead of proper web pages. This can make websites completely unavailable by rendering them inaccessible through cached content. Affected are all Nuxt applications running versions before 3.16.0 that use CDNs that ignore query strings for caching decisions.
💻 Affected Systems
- Nuxt
📦 What is this software?
Nuxt by Nuxt
⚠️ Risk & Real-World Impact
Worst Case
Complete and indefinite unavailability of the website as attackers permanently poison the CDN cache, serving JSON responses to all visitors instead of the actual site content.
Likely Case
Temporary service disruption where attackers poison the cache for the duration of the caching TTL, causing users to receive JSON errors instead of the website.
If Mitigated
Minimal impact if CDN properly respects query strings for cache keys or if the application is patched, preventing cache poisoning entirely.
🎯 Exploit Status
Exploitation requires understanding of both Nuxt routing and CDN caching behavior. Attackers need to identify vulnerable CDN configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.16.0
Vendor Advisory: https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93
Restart Required: No
Instructions:
1. Update Nuxt to version 3.16.0 or later using npm: 'npm update nuxt' or yarn: 'yarn upgrade nuxt'. 2. Verify the update completed successfully. 3. Deploy the updated application to production.
🔧 Temporary Workarounds
Configure CDN to include query strings in cache keys
allModify CDN configuration to use full URLs (including query strings) as cache keys, preventing the cache poisoning attack.
Implement custom middleware to block malicious requests
allAdd server-side middleware to detect and block requests with suspicious patterns like '/_payload.json' in query strings.
🧯 If You Can't Patch
- Configure CDN to bypass cache for requests containing '/_payload.json' in query parameters
- Implement rate limiting or WAF rules to block suspicious request patterns
🔍 How to Verify
Check if Vulnerable:
Check if your Nuxt version is below 3.16.0 by examining package.json or running 'npm list nuxt'. Also verify if your CDN ignores query strings for caching.Check Version:
npm list nuxt | grep nuxtVerify Fix Applied:
After updating to 3.16.0+, verify the version and test that requests with '/_payload.json' in query strings no longer return JSON responses that could poison cache.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with '/_payload.json' in query strings
- Unusual increase in JSON responses being served to users
- CDN cache miss patterns showing poisoned content
Network Indicators:
- Requests to URLs with '?_payload.json' query parameters
- JSON responses being served for normal page requests
SIEM Query:
source=web_logs AND (url_query CONTAINS '_payload.json' OR response_content_type='application/json' AND status_code=200)