CVE-2025-27415

CVE-2025-27415 is a cache poisoning vulnerability affecting Nuxt, an open-source web development framework for Vue.js, in versions prior to 3.16.0. The issue arises when a Nuxt server is deployed behind a CDN that ignores query strings when determining cache keys for routes. By sending a crafted HTTP request, such as https://mysite.com/?/_payload.json, an attacker can trigger a JSON response that gets cached by the CDN and inadvertently served to subsequent visitors, disrupting normal site functionality. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data).

Any remote attacker without authentication or user interaction can exploit this vulnerability by crafting and sending the malicious request to a vulnerable Nuxt site behind a susceptible CDN configuration. Successful exploitation poisons the CDN cache, causing the site to serve invalid JSON responses to legitimate users instead of the expected HTML, leading to high-impact denial of service that renders the site unavailable indefinitely. Attackers can exacerbate this by automating requests at intervals matching the CDN's caching duration to perpetually refresh the poisoned cache entry.

The Nuxt security advisory at https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93 details the fix implemented in version 3.16.0, which prevents the crafted requests from generating cacheable JSON responses. Security practitioners should upgrade to Nuxt 3.16.0 or later and review CDN configurations to ensure query strings are properly considered in cache keys.