chore(deps): update devdependency nuxt to v4.4.6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nuxt (source)	4.3.1 → 4.4.6

---

Nuxt: Reflected XSS in navigateTo() external redirect

CVE-2026-45669 / GHSA-fx6j-w5w5-h468

More information

Details

Summary

navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin.

This is a different root cause from CVE-2024-34343 (GHSA-vf6r-87q4-2vjf), which addressed javascript: protocol bypass. The issue here is triggered by any valid URL containing >.

Impact

Applications that pass user-controlled input to navigateTo(url, { external: true }) — typically via a ?next= / ?redirect= query parameter used for post-login or "return to" flows — are vulnerable to reflected cross-site scripting. The injected script runs in the context of the application's origin during the server-rendered redirect response, before the meta-refresh fires.

Details

In packages/nuxt/src/app/composables/router.ts, the SSR redirect path builds an HTML response body with only " percent-encoded in the destination URL:

const encodedLoc = location.replace(/"/g, '%22')
nuxtApp.ssrContext!['~renderResponse'] = {
status: sanitizeStatusCode(options?.redirectCode || 302, 302),
body: `<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=${encodedLoc}"></head></html>`,
headers: { location: encodeURL(location, isExternalHost) },
}

The Location header is normalised through encodeURL() (which uses the URL constructor and correctly percent-encodes attribute-significant characters). The HTML body uses a narrower sanitiser. That mismatch is the root cause.

Proof of concept

Global middleware that forwards a query parameter to navigateTo:

// middleware/redirect.global.ts
export default defineNuxtRouteMiddleware((to) => {
const next = to.query.next as string | undefined
if (next) {
 return navigateTo(next, { external: true })
}
})

Request:

GET /?next=https://evil.example/x><img src=x onerror=alert(document.domain)>

Response body:

<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=https://evil.example/x><img src=x onerror=alert(document.domain)>"></head></html>

The > after evil.example/x terminates the content="…" attribute, and the <img onerror> tag executes JavaScript in the application's origin before any redirect
occurs.

Patches

Fixed in nuxt@4.4.6 and nuxt@3.21.6 by #​35052. The fix percent-encodes the full set of HTML-attribute-significant characters (&, ", ', <, >) before interpolating the URL into the meta-refresh body

Workarounds

If you can't upgrade immediately, validate user-controlled URLs before passing them to navigateTo(url, { external: true }). At minimum, normalise through new URL(input).toString() and reject inputs containing < or > (a normalised URL with these characters is malformed and safe to refuse).

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References

• https://github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468
• https://github.com/nuxt/nuxt/pull/35052
• https://github.com/advisories/GHSA-fx6j-w5w5-h468

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nuxt/nuxt (nuxt)

v4.4.6

Compare Source

v4.4.5

Compare Source

4.4.5 is the next patch release.

👉 Changelog

compare changes

🔥 Performance

• kit: Cache layer roots and short-circuit isIgnored relative (#​35015)

🩹 Fixes

• vite: Resolve vite clientServer with ssr: false (#​34959)
• nitro: Correct payload route rule for / + override ssr: true (#​34990)
• nitro: Break recursive rendering deadlocks during prerender (#​34939)
• vite: Drop redundant css link when entry styles are inlined (#​34950)
• vite: Sort optimizeDeps.include in pre-bundle hint (#​34976)
• nuxt: Only force suspense remount after first resolve (#​34949)
• kit: Read .env before resolving nuxt schema (#​34958)
• nitro: Preserve serverHandlers array after nitro:config (#​34985)
• nuxt: Cast partial nitro handlers when prepending to server arrays (61dcde4db)
• vite: Only consider CSS inlined when styles are actually emitted (#​35006)
• nuxt: Dedupe getCachedData for concurrent callers sharing a key (#​34999)
• nuxt: Respect factory fetch/baseURL options in server useFetch (#​35003)
• nuxt: Handle string presets in auto-imports (#​35013)
• nuxt: Correct island transform for server pages and 'deep' mode (#​35005)
• vite: Inline css for non-island children of server components (#​35001)
• nuxt: Defer head DOM updates until page transition finishes (#​35016)
• nuxt: Explicitly freeze head during island plugin phase (#​35010)
• vite: Inline css imported from non-vue js modules (#​35020)

📖 Documentation

• Add warning about routing in server components (#​34994)

🏡 Chore

• Fix lockfile (c3ee07801)
• Pin jiti (c8102228f)
• Lint (39422b6d2)
• Pin @vue/compiler-sfc (cd404a14c)
• Ignore pnpm cyclic workspace deps warn (#​34998)
• Remove jiti from build steps (#​35004)

✅ Tests

• Extract server components fixture + add some failing tests (#​34995)
• Isolate buildDir per matrix project for shared fixtures (#​35007)
• Remove tests for 5.x runtimeBaseURL fature (816c25487)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Harlan Wilton (@​harlan-zw)
• Jonazzzz (@​Bombastickj)
• Damian Głowala (@​DamianGlowala)
• Florian Heuberger (@​Flo0806)

v4.4.4

Compare Source

v4.4.2

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

❌ Deploy Preview for friendly-lamington-fb5690 failed. Why did it fail? →

Name	Link
🔨 Latest commit	84aced7
🔍 Latest deploy log	https://app.netlify.com/projects/friendly-lamington-fb5690/deploys/6a0cba8bb7757100082e5479