Summary
Nuxt Icon affected by a Server-Side Request Forgery (SSRF)
nuxt/icon provides an API to allow client side icon lookup. This endpoint is at /api/_nuxt_icon/[name].
The proxied request path is improperly parsed, allowing an attacker to change the scheme and host of the request. This leads to SSRF, and could potentially lead to sensitive data exposure.
Details
The new URL constructor is used to parse the final path. This constructor can be passed a relative scheme or path in order to change the host the request is sent to. This constructor is also very tolerant of poorly formatted URLs.
As a result we can pass a path prefixed with the string http:. This has the effect of changing the scheme to HTTP. We can then subsequently pass a new host, for example http:127.0.0.1:8080. This would allow us to send requests to a local server.
PoC
Make a request to /api/_nuxt_icon/http:example.com, observe the data returned has been fetched from a different resource than intended.
I typically try to find an example within Nuxt infrastructure that is vulnerable to these types of bugs, but I could not identify any with this endpoint enabled.
Impact
- SSRF, potential sensitive data exposure.
- I do not believe this can be chained into an XSS, but it may be possible.
- Does not have a security impact on services deployed on Cloudflare Workers.
- Does not impact certain builds and modes (like static builds).
- Can be mitigated using by disabling the
fallbackToApioption.
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
CVE-2024-42352 has a CVSS score of 8.6 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.4.5); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
- Ensure the host has not been changed after the path is parsed.
- Alternatively, prefix the path with
./.
Frequently Asked Questions
- What is CVE-2024-42352? CVE-2024-42352 is a high-severity server-side request forgery (SSRF) vulnerability in @nuxt/icon (npm), affecting versions <= 1.4.4. It is fixed in 1.4.5. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
- How severe is CVE-2024-42352? CVE-2024-42352 has a CVSS score of 8.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @nuxt/icon are affected by CVE-2024-42352? @nuxt/icon (npm) versions <= 1.4.4 is affected.
- Is there a fix for CVE-2024-42352? Yes. CVE-2024-42352 is fixed in 1.4.5. Upgrade to this version or later.
- Is CVE-2024-42352 exploitable, and should I be worried? Whether CVE-2024-42352 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-42352 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-42352? Upgrade
@nuxt/iconto 1.4.5 or later.