GHSA-MM7M-92G8-7M47

Vulnerability from github – Published: 2026-06-16 13:48 – Updated: 2026-06-16 13:48
VLAI
Summary
Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher
Details

Impact

Nuxt looks up routeRules for the current navigation by calling getRouteRules({ path: to.path }) from the page-router plugin and the no-pages router plugin. The compiled routeRules matcher (built on rou3) performs case-sensitive matching, while vue-router is configured with its default sensitive: false and matches paths case-insensitively.

The two routers therefore disagree on which rules apply to a given request path: vue-router still matches the page record for /Admin/dashboard, but the routeRules lookup for the same path returns no match. Any appMiddleware declared via routeRules is never added to the middleware set and never runs, on both SSR and client navigations. The same path skips other path-keyed route rules in the same way (ssr, redirect, appLayout, and the prerender / payload hints used client-side).

For applications using routeRules with appMiddleware as an authorization gate (a documented pattern), an attacker can flip the case of any static segment in a protected URL (for example /Admin/dashboard instead of /admin/dashboard) to render the protected page with the middleware skipped. The server returns the fully server-rendered page including any useFetch / useAsyncData results captured during SSR.

This is an instance of CWE-178 (Improper Handling of Case Sensitivity) leading to CWE-863 (Incorrect Authorization) for apps that treat appMiddleware as an authorization boundary.

Mitigating factors

  • Only affects apps that use routeRules.appMiddleware. The more idiomatic definePageMeta({ middleware }) is bound to the matched route record and is unaffected.
  • Nuxt route middleware is documented as an app-layer concern, not a server-side auth boundary; well-built apps enforce authorization again at the API / data-fetching layer.
  • Apps that explicitly set router.options.sensitive = true are not affected.

Patches

Fixed in nuxt@4.4.7 (commit 07e39cd6) and backported to nuxt@3.21.7 (commit 3f3e3fa7). The fix normalizes the path used for routeRules lookups so it matches vue-router's default case-insensitive semantics.

Workarounds

Until you can upgrade, you can mitigate by either:

  1. Setting router.options.sensitive = true so vue-router matches case-sensitively (this changes route-matching behaviour app-wide).
  2. Moving security-critical middleware off routeRules.appMiddleware and onto definePageMeta({ middleware: [...] }) on the protected page components, which is bound to the matched record.
  3. Enforcing authorization at the API / data-fetching layer (which you should be doing in any case).

Credit

Reported by Anthropic / Claude through Anthropic's coordinated vulnerability disclosure process. Reference: ANT-2026-9FSEBYMC.

Severity
8.8 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nuxt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "nuxt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.11.0"
            },
            {
              "fixed": "3.21.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-178",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T13:48:31Z",
    "nvd_published_at": "2026-06-12T15:16:31Z",
    "severity": "HIGH"
  },
  "details": "## Impact\n\nNuxt looks up `routeRules` for the current navigation by calling\n`getRouteRules({ path: to.path })` from the page-router plugin and the\nno-pages router plugin. The compiled `routeRules` matcher (built on\n`rou3`) performs case-sensitive matching, while vue-router is configured\nwith its default `sensitive: false` and matches paths case-insensitively.\n\nThe two routers therefore disagree on which rules apply to a given\nrequest path: vue-router still matches the page record for\n`/Admin/dashboard`, but the `routeRules` lookup for the same path\nreturns no match. Any `appMiddleware` declared via `routeRules` is never\nadded to the middleware set and never runs, on both SSR and client\nnavigations. The same path skips other path-keyed route rules in the\nsame way (`ssr`, `redirect`, `appLayout`, and the prerender / payload\nhints used client-side).\n\nFor applications using `routeRules` with `appMiddleware` as an\nauthorization gate (a documented pattern), an attacker can flip the case\nof any static segment in a protected URL (for example `/Admin/dashboard`\ninstead of `/admin/dashboard`) to render the protected page with the\nmiddleware skipped. The server returns the fully server-rendered page\nincluding any `useFetch` / `useAsyncData` results captured during SSR.\n\nThis is an instance of CWE-178 (Improper Handling of Case Sensitivity)\nleading to CWE-863 (Incorrect Authorization) for apps that treat\n`appMiddleware` as an authorization boundary.\n\n## Mitigating factors\n\n- Only affects apps that use `routeRules.appMiddleware`. The more\n  idiomatic `definePageMeta({ middleware })` is bound to the matched\n  route record and is unaffected.\n- Nuxt route middleware is documented as an app-layer concern, not a\n  server-side auth boundary; well-built apps enforce authorization\n  again at the API / data-fetching layer.\n- Apps that explicitly set `router.options.sensitive = true` are not\n  affected.\n\n## Patches\n\nFixed in `nuxt@4.4.7` (commit [`07e39cd6`](https://github.com/nuxt/nuxt/commit/07e39cd6f26e407b4192b7865bd17bc44536b9bb)) and backported to `nuxt@3.21.7` (commit [`3f3e3fa7`](https://github.com/nuxt/nuxt/commit/3f3e3fa7b5eec8e495f4f8ce0a54813a8875a11e)). The fix normalizes the path used for `routeRules` lookups so it matches vue-router\u0027s default case-insensitive semantics.\n\n## Workarounds\n\nUntil you can upgrade, you can mitigate by either:\n\n1. Setting `router.options.sensitive = true` so vue-router matches\n   case-sensitively (this changes route-matching behaviour app-wide).\n2. Moving security-critical middleware off `routeRules.appMiddleware`\n   and onto `definePageMeta({ middleware: [...] })` on the protected\n   page components, which is bound to the matched record.\n3. Enforcing authorization at the API / data-fetching layer (which you\n   should be doing in any case).\n\n## Credit\n\nReported by Anthropic / Claude through Anthropic\u0027s coordinated\nvulnerability disclosure process. Reference: ANT-2026-9FSEBYMC.",
  "id": "GHSA-mm7m-92g8-7m47",
  "modified": "2026-06-16T13:48:31Z",
  "published": "2026-06-16T13:48:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-mm7m-92g8-7m47"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53721"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/commit/07e39cd6f26e407b4192b7865bd17bc44536b9bb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/commit/3f3e3fa7b5eec8e495f4f8ce0a54813a8875a11e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nuxt/nuxt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.