chore(deps): update dependency nuxt-og-image to v6 [security]#296
chore(deps): update dependency nuxt-og-image to v6 [security]#296renovate[bot] wants to merge 1 commit intomainfrom
Conversation
renovate
bot
force-pushed
the
renovate/npm-nuxt-og-image-vulnerability
branch
from
f693869 to
7942fab
Compare
renovate
bot
force-pushed
the
renovate/npm-nuxt-og-image-vulnerability
branch
from
7942fab to
9d6b9fa
Compare
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 11 minutes and 40 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📝 WalkthroughWalkthroughUpdated the Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (3)
package.json (3)
27-27: Verify lockfile update and test thoroughly before deployment.Given the security-critical nature of this update and the major version bump, ensure:
- The lockfile (pnpm-lock.yaml) is updated to resolve to v6.2.5 or later
- Image generation endpoints are tested with the attack vectors mentioned in the CVEs:
- Large dimension parameters (e.g., width=20000&height=20000)
- SSRF payloads via CSS background-image, img src, or SVG href
- XSS payloads via query parameters (e.g., onmouseover=alert())
- Existing og:image meta tags still render correctly
- Performance is acceptable with the new Takumi renderer
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@package.json` at line 27, Bump of "nuxt-og-image" to a major version requires updating the lockfile and thorough testing: update pnpm-lock.yaml to ensure the resolved version is >= v6.2.5, run an install to lock dependencies, then test your image-generation endpoints (the nuxt-og-image handlers/Takumi renderer paths) against the CVE vectors — very large dimension params (e.g., width=20000&height=20000), SSRF payloads via CSS background-image, img src, and SVG href, and XSS payloads in query params (e.g., onmouseover=alert()); also verify existing og:image meta tag rendering still works and run performance/load tests to confirm the Takumi renderer meets SLAs before merging/deploying.
27-27: Consider adding application-level security controls.While updating to v6.2.5+ addresses the library vulnerabilities, consider implementing defense-in-depth measures:
- Rate limiting: Protect the
/_og/*endpoints from abuse even with dimension limits in place- Content Security Policy: Add CSP headers to prevent XSS even if parameter sanitization fails
- Network egress filtering: If feasible, restrict the Nuxt server's outbound network access to prevent SSRF to internal services
- Monitoring: Log and alert on suspicious og-image requests (unusually large dimensions, private IPs in parameters, etc.)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@package.json` at line 27, The dependency update for "nuxt-og-image" should be accompanied by application-level security controls: upgrade "nuxt-og-image" to >=6.2.5 in package.json, add rate-limiting middleware that targets the /_og/* endpoints (or the Nuxt route handler that serves og images) to block abusive request rates, enforce strict dimension and host validation in the nuxt-og-image request handler (validate params and reject private IP/hostname values), add CSP and other security headers via nuxt.config (e.g., render.headers or a Helmet-like middleware) to reduce XSS risk, and ensure monitoring/logging is added around the og-image generation code (log oversized dimension requests, blocked host attempts, and rate-limit hits) while considering network egress restrictions at the deployment/network layer (e.g., VPC firewall or network policy) to prevent SSRF.
27-27: Consider specifying ^6.2.5 as the minimum version to explicitly include the SSRF security fix.The SSRF vulnerability (GHSA-pqhr-mp3f-hrpp) was patched in v6.2.5. While
^6.0.0will typically resolve to the latest available version (6.3.3), explicitly specifying^6.2.5makes the security intent clearer and protects against edge cases with pinned lockfiles or unusual dependency resolution scenarios.Proposed change
- "nuxt-og-image": "^6.0.0", + "nuxt-og-image": "^6.2.5",🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@package.json` at line 27, Update the nuxt-og-image dependency declaration to require at least the patched release by changing the version specifier from "^6.0.0" to "^6.2.5" in package.json (the "nuxt-og-image" entry), then reinstall and commit the updated lockfile (npm/yarn/pnpm install) so the SSRF fix (GHSA-pqhr-mp3f-hrpp) is actually enforced across environments.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@package.json`:
- Line 27: Bump of "nuxt-og-image" to a major version requires updating the
lockfile and thorough testing: update pnpm-lock.yaml to ensure the resolved
version is >= v6.2.5, run an install to lock dependencies, then test your
image-generation endpoints (the nuxt-og-image handlers/Takumi renderer paths)
against the CVE vectors — very large dimension params (e.g.,
width=20000&height=20000), SSRF payloads via CSS background-image, img src, and
SVG href, and XSS payloads in query params (e.g., onmouseover=alert()); also
verify existing og:image meta tag rendering still works and run performance/load
tests to confirm the Takumi renderer meets SLAs before merging/deploying.
- Line 27: The dependency update for "nuxt-og-image" should be accompanied by
application-level security controls: upgrade "nuxt-og-image" to >=6.2.5 in
package.json, add rate-limiting middleware that targets the /_og/* endpoints (or
the Nuxt route handler that serves og images) to block abusive request rates,
enforce strict dimension and host validation in the nuxt-og-image request
handler (validate params and reject private IP/hostname values), add CSP and
other security headers via nuxt.config (e.g., render.headers or a Helmet-like
middleware) to reduce XSS risk, and ensure monitoring/logging is added around
the og-image generation code (log oversized dimension requests, blocked host
attempts, and rate-limit hits) while considering network egress restrictions at
the deployment/network layer (e.g., VPC firewall or network policy) to prevent
SSRF.
- Line 27: Update the nuxt-og-image dependency declaration to require at least
the patched release by changing the version specifier from "^6.0.0" to "^6.2.5"
in package.json (the "nuxt-og-image" entry), then reinstall and commit the
updated lockfile (npm/yarn/pnpm install) so the SSRF fix (GHSA-pqhr-mp3f-hrpp)
is actually enforced across environments.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: ca2f5486-1766-4d62-bc76-13036844cb7f
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (1)
package.json
renovate
bot
force-pushed
the
renovate/npm-nuxt-og-image-vulnerability
branch
from
9d6b9fa to
79c6c8f
Compare
This PR contains the following updates:
^5.1.13→^6.0.0GitHub Vulnerability Alerts
CVE-2026-34404
Product: Nuxt OG Image
Version: 6.1.2
CWE-ID: CWE-404: Improper Resource Shutdown or Release
Description: Failure to limit the length and width of the generated image results in a denial of service.
Impact: Denial of service
Exploitation condition: An external user
Mitigation: Implement a limitation on the width and length of the generated image.
Researcher: Dmitry Prokhorov (Positive Technologies)
Research
During the analysis of the nuxt-og-image package, which is shipped with the nuxt-seo package, a zero‑day vulnerability was discovered.
This research revealed that the image‑generation component by the URI:
/_og/d/(and, in older versions,/og-image/) contains a Denial of Service (DoS) vulnerability. The issue arises because there is no restriction on the width and height parameters of the generated image. The vulnerability was reproduced using the standard configuration and the default templates.Listing 1. The content of the configuration file
nuxt.config.tsVulnerability reproduction
To demonstrate the proof‑of‑concept, a request should be sent with the increased
widthandheightparameters. This will cause a delay and exhaust the server’s resources during image generation.Listing 2. HTTP-request example
Figure 1. HTTP-response: denial-of-service error
After sending a HTTP-request, the test server's memory was exhausted.
Figure 2. Video memory exhausted error
Credits
Researcher: Dmitry Prokhorov (Positive Technologies)
GHSA-pqhr-mp3f-hrpp
Product: Nuxt OG Image
Version: < 6.2.5
CWE-ID: CWE-918: Server-Side Request Forgery
Description
The image generation endpoint (
/_og/d/) accepts user-controlled parameters that are passed to the server-side renderer without proper validation or filtering. An attacker can trigger server-side requests to internal network addresses through multiple vectors.Impact
Attack Vectors
Three distinct vectors were identified, all exploiting the same underlying lack of URL validation:
Vector 1: CSS
background-imageinjection viastyleparameterVector 2:
<img src>injection viahtmlparameterWhen verbose errors are enabled, the response content is leaked in base64-encoded error messages.
Vector 3: SVG
<image href>injection viahtmlparameterMitigation
Fixed in v6.2.5. The image source plugin now blocks requests to private IP ranges (IPv4/IPv6), loopback addresses, link-local addresses, and cloud metadata endpoints. Decimal/hexadecimal IP encoding bypasses are also handled.
Credits
Researcher: Dmitry Prokhorov (Positive Technologies)
CVE-2026-34405
Product: Nuxt OG Image
Version: 6.1.2
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation
Description: Incorrect parsing of GET parameters leads to the possibility of HTML injection and JavaScript code injection.
Impact: Client-Side JavaScript Execution
Exploitation condition: An external user
Mitigation: Correct the logic of parsing GET parameters and their subsequent implementation into the generated page.
Researcher: Dmitry Prokhorov (Positive Technologies)
Research
During the analysis of the nuxt-og-image package, which is shipped with the nuxt-seo package, a zero‑day vulnerability was discovered.
This research revealed that the image‑generation component by the URI:
/_og/d/(and, in older versions,/og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. The vulnerability was reproduced using the standard configuration and the default templates.Listing 1. The content of the configuration file
nuxt.config.tsVulnerability reproduction
To demonstrate the proof‑of‑concept, follow the URI:
/_og/d/og.html?width=1000&height=1000&onmouseover=alert(document.cookie)&autofocusThe injected parameters
onmouseover=alert(document.cookie)andautofocusare treated as attributes and are inserted directly into the generated HTML page.Listing 2. HTTP-request example
Figure 1. The injected attribute in the HTML body
Figure 2. JavaScript code execution
Credits
Researcher: Dmitry Prokhorov (Positive Technologies)
Release Notes
nuxt-modules/og-image (nuxt-og-image)
v6.2.5Compare Source
🐞 Bug Fixes
View changes on GitHub
v6.2.4Compare Source
compare changes
🩹 Fixes
🏡 Chore
❤️ Contributors
v6.2.3Compare Source
🐞 Bug Fixes
🏎 Performance
View changes on GitHub
v6.2.2Compare Source
compare changes
🔥 Performance
🩹 Fixes
🏡 Chore
❤️ Contributors
v6.2.1Compare Source
compare changes
🏡 Chore
❤️ Contributors
v6.2.0Compare Source
compare changes
🩹 Fixes
🏡 Chore
❤️ Contributors
v6.1.2Compare Source
compare changes
🚀 Enhancements
defineOgImageSchema()composable (#520)🩹 Fixes
💅 Refactors
🏡 Chore
✅ Tests
❤️ Contributors
v6.1.1Compare Source
compare changes
🩹 Fixes
🏡 Chore
❤️ Contributors
v6.1.0Compare Source
compare changes
🩹 Fixes
🏡 Chore
❤️ Contributors
v6.0.7Compare Source
compare changes
🚀 Enhancements
createandswitchcommands with DX improvements (#508)🩹 Fixes
🏡 Chore
❤️ Contributors
v6.0.6Compare Source
compare changes
🩹 Fixes
🏡 Chore
❤️ Contributors
v6.0.5Compare Source
compare changes
🩹 Fixes
🏡 Chore
❤️ Contributors
v6.0.4Compare Source
compare changes
🏡 Chore
❤️ Contributors
v6.0.3Compare Source
compare changes
🩹 Fixes
🏡 Chore
❤️ Contributors
v6.0.2Compare Source
🐞 Bug Fixes
View changes on GitHub
v6.0.1Compare Source
🐞 Bug Fixes
defineOgImage({ url })->useSeoMeta- by @harlan-zw in #496 (2e762)View changes on GitHub
v6.0.0Compare Source
Nuxt OG Image v6 brings a complete overhaul focused on performance, modern tooling, and developer experience.
📣 Highlights
📖 Migration Guide
Full migration guide: https://nuxtseo.com/og-image/migration-guide/v6
Quick Migration
Notable Changes
🚀 Takumi Renderer (Recommended)
Takumi is a Rust-based renderer that directly rasterizes to PNG/JPEG/WebP - no SVG intermediate step. It's 2-10x faster than Satori+Resvg.
See PR #414.
Takumi and Satori are feature-compatible within Nuxt OG Image - both support Tailwind CSS, custom fonts, emoji, edge runtimes, and all the same template features. The difference is speed: Takumi is always faster thanks to its Rust-based direct rasterization.
Use Takumi by creating components with the
.takumi.vuesuffix:See the Takumi docs for the full feature list.
🎨 First-Class CSS Support
Nuxt OG Image now has first-class support for multiple CSS approaches - not just Tailwind. All of these work out of the box with zero configuration:
See PR #430.
@themevalues just workprimary,secondary, etc.) are automatically resolvedNo configuration needed.
🖥️ Redesigned DevTools
The OG image DevTools have been completely overhauled:
⚡ Install Renderer Dependencies
Renderer dependencies are no longer bundled. Install what you need based on your renderer and runtime.
See PR #415.
Takumi (recommended):
Satori:
Browser:
Running
nuxi devwill prompt you to install missing dependencies automatically.🖼️ Multiple OG Images Per Page
Define multiple images with different dimensions for different platforms. Shared props are passed once and applied to all variants.
See PR #305.
Shared Props with Variants (Recommended)
Pass shared props as the second argument and size variants as the third — no prop duplication needed:
Per-variant props override shared props when needed:
Array Syntax
Alternatively, pass all options inline per variant:
🔤 @nuxt/fonts Integration
Custom fonts now use @nuxt/fonts instead of the legacy
ogImage.fontsconfig.See PR #432.
The
global: trueoption is required for fonts to be available in OG Image rendering.📦 Component Renderer Suffix
OG Image components now require a renderer suffix in their filename. This enables automatic renderer detection, multiple renderer variants, and tree-shaking.
See PR #433.
Run the migration CLI to rename automatically:
🏷️ Community Templates Must Be Ejected
Community templates (
NuxtSeo,SimpleBlog, etc.) are no longer bundled in production. Eject them to your project before building.See PR #426.
Templates continue to work in development without ejecting.
🔗 New URL Structure
OG Image URLs now use a Cloudinary-style format with options encoded in the path. This enables better CDN caching since identical options produce identical URLs.
See PR #305.
/__og-image__/image//_og/d//__og-image__/static//_og/s/🚨 Breaking Changes
🚀 Features
🐞 Bug Fixes
zeroRuntimemode - by @harlan-zw (7afb1)zeroRuntimemode - by @harlan-zw in #428 (97fb4)!important- by @harlan-zw (b5684)props={}in URLs - by @harlan-zw (7caa4)font-display-> font file - by @harlan-zw (3d4a5)defineOgImage()props - by @harlan-zw (4df12)<style>blocks - by @harlan-zw (64d59)getOgImagePathas deprecated - by @harlan-zw (00497)Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.