CVE-2025-27415

Published Mar 19, 2025

Last updated 16 days ago

CVSS high 7.5

Overview

Description
Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0.
Source
security-advisories@github.com
NVD status
Received

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-349

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

4

  1. CVE-2025-27415 ( Cache Poisoning Nuxt.js < 3.16.0) https://t.co/PLmQuvirBR

    @soltanali0

    3 Apr 2025

    1268 Impressions

    1 Retweet

    15 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 Nuxt users should be alert! A high-severity vulnerability (CVE-2025-27415) affects versions 3.0.0 to 3.15.0, enabling cache poisoning attacks. Update to 3.16.0 to mitigate risks. #NuxtFramework #CachePoisoning #France link: https://t.co/KCJXu0pJr4 https://t.co/FuoyoNekLe

    @TweetThreatNews

    24 Mar 2025

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-27415 Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circ… https://t.co/5kkXgMPnlV

    @CVEnew

    19 Mar 2025

    414 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References