CVE-2025-27415: 
JavaScript vulnerability analysis and mitigation

Nuxt, an open-source web development framework for Vue.js, was found to contain a critical vulnerability (CVE-2025-27415) affecting versions 3.0.0 through 3.16.0. The vulnerability, discovered in March 2025, allows attackers to perform cache poisoning attacks against servers behind CDNs, potentially causing significant service disruption (NVD, GitHub Advisory).

The vulnerability involves sending crafted HTTP requests to servers behind CDNs, specifically targeting the payload rendering response. An attacker can craft requests such as 'https://mysite.com/?/_payload.json' which will be rendered as JSON. If the CDN ignores the query string when determining cache routes, the malicious JSON response could be cached and served to subsequent visitors. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability can result in complete site unavailability through cache poisoning. Attackers can make a site unavailable indefinitely, and in cases where the cache resets, they can create scripts to send requests at intervals matching the caching duration, ensuring permanent cache poisoning. This attack particularly impacts the availability of affected sites, with no direct effect on confidentiality or integrity (Security Online, GitHub Advisory).

The vulnerability has been patched in Nuxt version 3.16.0. Users running affected versions (3.0.0 to 3.16.0) should upgrade immediately to the patched version to protect against cache poisoning attacks (NVD).

The vulnerability has drawn comparisons to a similar issue in Next.js (CVE-2024-46982), highlighting a broader pattern of cache-related vulnerabilities in modern web frameworks (GitHub Advisory).