CVE-2024-34343: 
JavaScript vulnerability analysis and mitigation

Nuxt, a free and open-source framework for creating full-stack web applications with Vue.js, was found to contain a vulnerability in its navigateTo function. The vulnerability (CVE-2024-34343) was discovered and disclosed on August 5, 2024, affecting versions prior to 3.12.4. The issue stems from incorrect implementation of protocol blocking mechanisms, specifically in handling the javascript: protocol using the unjs/ufo library APIs (GitHub Advisory).

The vulnerability arises from parsing discrepancies in the URL handling mechanism. The navigateTo function first checks for protocol using the unjs/ufo package, which correctly identifies javascript: protocols. However, the subsequent parseURL function refuses to parse poorly formatted URLs, returning null/empty values. The isScriptProtocol function, which checks against a protocol list, fails to perform proper parsing. Additionally, whitespace is not stripped in the parseURL implementation, allowing bypass of isScriptProtocol checks. Special protocols can be bypassed by inserting newline or tab characters into the sequence. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) by NIST and 6.3 (Medium) by GitHub (NVD, GitHub Advisory).

The vulnerability can lead to Cross-Site Scripting (XSS) attacks, but only after Server-Side Rendering (SSR) has occurred. Successful exploitation could allow attackers to access cookies and make requests on behalf of users. The javascript: protocol within a location header does not trigger XSS (GitHub Advisory).

The vulnerability has been patched in version 3.12.4 and all users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability (NVD).