← Back to feed
Security patch:
[LOW] GHSA-g8wj-3cr3-6w7v: Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
GitHub Security Advisory·Security·SecurityFix·5/19/2026
### Summary The `/__nuxt_island/*` endpoint accepts attacker-controlled `props` query/body parameters and renders any island component without verifying that the URL-resident hash (`<Name>_<hashId>.json`) was actually issued for those inputs by `<NuxtIsland>`. The hash is computed and embedded clie
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
@nuxt/nitro-server
View original source ↗Source payload preview
{
"ghsaId": "GHSA-g8wj-3cr3-6w7v",
"summary": "Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning",
"severity": "LOW",
"updatedAt": "2026-05-19T20:03:26Z",
"references": [
{
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-g8wj-3cr3-6w7v"
},
{
"url": "https://github.com/nuxt/nuxt/pull/35077"
},
{
"url": "https://github.com/advisories/GHSA-g8wj-3cr3-6w7v"
}
],
"description": "### Summary\n\nThe `/__nuxt_island/*` endpoint accepts attacker-controlled `props` query/body parameters and renders any island component without verifying that the URL-resident hash (`<Name>_<hashId>.json`) was actually issued for those inputs by `<NuxtIsland>`. The hash is computed and embedded c
…