GHSA-pqhr-mp3f-hrpp
MEDIUMNuxt OG Image vulnerable to Server-Side Request Forgery via user-controlled parameters
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
nuxt-og-imagenpmDescription
Product: Nuxt OG Image Version: < 6.2.5 CWE-ID: CWE-918: Server-Side Request Forgery
Description
The image generation endpoint (/_og/d/) accepts user-controlled parameters that are passed to the server-side renderer without proper validation or filtering. An attacker can trigger server-side requests to internal network addresses through multiple vectors.
Impact
- Scanning internal ports and services inaccessible from the outside
- Reading sensitive data from cloud infrastructure metadata services (tokens, credentials) when verbose error output is enabled
Attack Vectors
Three distinct vectors were identified, all exploiting the same underlying lack of URL validation:
Vector 1: CSS background-image injection via style parameter
GET /_og/d/og.png?style=background-image:+url('http://127.0.0.1:8888/secret')
Vector 2: <img src> injection via html parameter
GET /_og/d/og.png?html=<img src="http://127.0.0.1:8888/secret">
When verbose errors are enabled, the response content is leaked in base64-encoded error messages.
Vector 3: SVG <image href> injection via html parameter
GET /_og/d/og.png?html=<svg><image href="http://127.0.0.1:8888/secret"></svg>
Mitigation
Fixed in v6.2.5. The image source plugin now blocks requests to private IP ranges (IPv4/IPv6), loopback addresses, link-local addresses, and cloud metadata endpoints. Decimal/hexadecimal IP encoding bypasses are also handled.
Credits
Researcher: Dmitry Prokhorov (Positive Technologies)
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | nuxt-og-image | all versions | 6.2.5 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for nuxt-og-image. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update nuxt-og-image to 6.2.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-pqhr-mp3f-hrpp is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-pqhr-mp3f-hrpp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-pqhr-mp3f-hrpp. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-pqhr-mp3f-hrpp in your dependencies?
O3 detects GHSA-pqhr-mp3f-hrpp across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.