CVE-2024-34344: 
JavaScript vulnerability analysis and mitigation

Nuxt, a free and open-source framework for creating full-stack web applications with Vue.js, was found to contain a vulnerability (CVE-2024-34344) due to insufficient validation of the path parameter in the NuxtTestComponentWrapper. The vulnerability was discovered and disclosed on August 5, 2024, affecting versions 3.4.0 through 3.12.4 (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary JavaScript on the server side through the NuxtTestComponentWrapper component, which can lead to arbitrary command execution. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The weakness is classified as CWE-94 (Improper Control of Generation of Code) (NVD).

The vulnerability enables remote code execution when users run e2e tests locally. When users open a malicious web page while running tests, the attacker can achieve remote code execution from the malicious web page. Since web pages can send requests to arbitrary addresses, a malicious web page can repeatedly attempt to exploit this vulnerability, triggering the exploit when the test server starts (GitHub Advisory).

The vulnerability has been patched in version 3.12.4 and later. Users are advised to upgrade to the patched version to mitigate the risk (GitHub Advisory).