chore(deps): update dependency nuxt to v3.19.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nuxt (source)	3.18.1 -> 3.19.0

GitHub Vulnerability Alerts

CVE-2025-59414

Summary

A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met.

Technical Details

The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. The issue affects the following flow:

1. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object
2. This data gets serialized with devalue.stringify and stored in the prerendered page
3. When a client navigates to the prerendered page, devalue.parse deserializes the payload
4. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences

Prerequisites for Exploitation

This vulnerability requires all of the following conditions:

1. Prerendered pages: The application must use Nuxt's prerendering feature (nitro.prerender)
2. Attacker-controlled API responses: The attacker must be able to control the response content of an API endpoint that is called during prerendering via useFetch, useAsyncData, or similar composables
3. Client-side navigation: A user must navigate to the prerendered page (not during initial SSR hydration)

Attack Scenario

// Malicious API response during prerendering
{
  "__nuxt_island": {
    "key": "../../../../internal/service",
    "params": { "action": "probe" }
  }
}

This could cause the client to make requests to /__nuxt_island/../../../../internal/service.json if path traversal is not properly handled by the server.

Impact Assessment

• Limited Impact: The vulnerability has a low severity due to the highly specific prerequisites
• No Direct Data Exfiltration: The vulnerability does not directly expose sensitive data
• Client-Side Only: Requests originate from the client, not the server

Mitigation

Action Required:

• Update to Nuxt 3.19.0+ or 4.1.0+ immediately
• Review any prerendered pages that fetch external or user-controlled data

Temporary Workarounds (if immediate update is not possible):

1. Disable prerendering for pages that fetch user-controlled data
2. Implement strict input validation on API endpoints used during prerendering
3. Use allowlists for API response structures during prerendering

Fix Details

The fix implemented validation for Island keys in revive-payload.server.ts:

• Island keys must match the pattern /^[a-z][a-z\d-]*_[a-z\d]+$/i
• Maximum length of 100 characters
• Prevents path traversal and special characters

---

Release Notes

nuxt/nuxt (nuxt)

v3.19.0

Compare Source

👀 Highlights

Please see the release notes for Nuxt v4.1 for full details on the features and fixes in Nuxt v3.19.

✅ Upgrading

As usual, our recommendation for upgrading is to run:

npx nuxt upgrade --dedupe

This will refresh your lockfile and pull in all the latest dependencies that Nuxt relies on, especially from the unjs ecosystem.

👉 Changelog

compare changes

🚀 Enhancements

• kit: Add ignore option to resolveFiles (#​32858)
• kit: Add onInstall and onUpgrade module hooks (#​32397)
• nuxt,vite: Add experimental support for rolldown-vite (#​31812)
• nuxt: Extract defineRouteRules to page rules property (#​32897)
• nuxt,vite: Use importmap to increase chunk stability (#​33075)
• nuxt: Lazy hydration macros without auto-imports (#​33037)
• kit,nuxt,schema: Allow modules to specify dependencies (#​33063)
• kit,nuxt: Add getLayerDirectories util and refactor to use it (#​33098)

🔥 Performance

• nuxt: Clear inline route rules cache when pages change (#​32877)
• nuxt: Stop watching app manifest once a change has been detected (#​32880)

🩹 Fixes

• nuxt: Handle satisfies in page augmentation (#​32902)
• nuxt: Type response in useFetch hooks (#​32891)
• nuxt: Add TS parenthesis and as expression for page meta extraction (#​32914)
• nuxt: Use correct unit thresholds for relative time (#​32893)
• nuxt: Handle uncached current build manifests (#​32913)
• kit: Resolve directories in resolvePath and normalize file extensions (#​32857)
• schema,vite: Bump requestTimeout + allow configuration (#​32874)
• nuxt: Deep merge extracted route meta (#​32887)
• nuxt: Do not expose app components until fully resolved (#​32993)
• kit: Only exclude node_modules/ if no custom srcDir (#​32987)
• nuxt: Compare final matched routes when syncing route object (#​32899)
• nuxt: Make vue server warnings much less verbose in dev mode (#​33018)
• schema: Allow disabling cssnano/autoprefixer postcss plugins (#​33016)
• kit: Ensure local layers are prioritised alphabetically (#​33030)
• kit,nuxt: Expose global types to vue compiler (#​33026)
• nuxt: Support config type inference for defineNuxtModule().with() (#​33081)
• nuxt: Search for colliding names in route children (31a9282c2)
• nuxt: Delete nuxtApp._runningTransition on resolve (#​33025)
• nuxt: Add validation for nuxt island reviver key (#​33069)
• kit: Prioritise local layers over extended layers (ae8b0d2b8)
• kit: Address merge conflict (89ccbbebb)
• kit: Do not resolve public dir aliases (5d87d3a80)

💅 Refactors

• nuxt: Simplify page segment parsing (#​32901)
• nuxt: Remove unnecessary async/await in afterEach (#​32999)
• vite: Simplify inline chunk iteration (9ea90fc33)
• kit,nuxt,ui-templates,vite: Address deprecations + improve regexp perf (#​33093)

📖 Documentation

• Add a section about augmenting types with TS project references (#​32843)
• Switch example to use vitest projects (#​32863)
• Update testing setupTimeout and add teardownTimeout (#​32868)
• Add middleware to layers guide (fa516d440)
• Add documentation for --nightly command (#​32907)
• Update package information in roadmap section (#​32881)
• Add more info about nuxt spa loader element attributes (#​32871)
• Correct filename in example (#​33000)
• Add more information about using useRoute and accessing route in middleware (#​33004)
• Avoid variable shadowing in locale example (#​33031)

🏡 Chore

• Remove stray test file (42fd247a4)
• Ignore webpagetest.org when scanning links (cb18f4960)
• Add type: 'module' in playground (#​33099)

✅ Tests

• Add failing test for link component duplication (#​32792)
• Simplify module hook tests (#​32950)
• Refactor stubbing of import.meta.dev (#​33023)
• Use findWorkspaceDir rather than relative paths to repo root (c4c3ada96)
• Improve router test for global transitions (7e6a6fc35)
• Use expect.poll (f4354203a)
• Use expect.poll instead of expectWithPolling (15ca5be95)
• Use vi.waitUntil instead of custom retry logic (4c8c13090)
• Update test for app creation (9a3b44515)
• Update bundle size snapshot (76988ce97)

🤖 CI

• Remove double set of tests for docs prs (14c006ac4)
• Add workflow for discord team discussion threads (f14854fc3)
• Fix some syntax issues with discord + github integrations (c059f7cd1)
• Use token for adding issue to project (51661bac3)
• Use discord bot to create thread automatically (37f9eb27b)
• Only use discord bot (38ce2dcbb)
• Update format of discord message (0047b3059)
• Try bolding entire line (6e9f40eb9)
• Oops (8b044cad2)
• Add delay after adding each reaction (37b7e2108)
• Use last lts node version for testing (98719c065)
• Try npm trusted publisher (ea33502c3)
• Use npm trusted publisher for main releases (31a55437f)
• Change wording (#​32979)
• Add github ai moderator (#​33077)

❤️ Contributors

• Daniel Roe (@​danielroe)
• abeer0 (@​iiio2)
• Julien Huang (@​huang-julien)
• kyumoon (@​kyumoon)
• Alexander Lichter (@​TheAlexLichter)
• Bobbie Goede (@​BobbieGoede)
• mustafa60x (@​mustafa60x)
• Matej Černý (@​cernymatej)
• Alex Liu (@​Mini-ghost)
• Amitav Chris Mostafa (@​semibroiled)
• Romain Hamel (@​romhml)
• Jacky Lam (@​jackylamhk)
• Mukund Shah (@​mukundshah)
• Luke Nelson (@​luc122c)
• letianpailove (@​letianpailove)
• Erwan Jugand (@​erwanjugand)
• Alexander (@​TheColorman)
• Ryota Watanabe (@​wattanx)
• Yizack Rangel (@​Yizack)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.