Versions of @nuxt/devalue prior to 1.2.3 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization attacker may inject arbitrary JavaScript code through object keys.

Recommendation

Upgrade to version 1.2.3 or later.

References

• https://nvd.nist.gov/vuln/detail/CVE-2019-13506
• nuxt-contrib/devalue#8
• https://github.com/nuxt/devalue/releases/tag/v1.2.3
• nuxt/nuxt@0d5dfe7
• nuxt/nuxt@c0776eb...8d14cd4
• https://github.com/nuxt/nuxt.js/releases/tag/v2.6.2
• https://www.npmjs.com/advisories/814
• Rich-Harris/devalue#19