The vulnerability identified as CVE-2026-34404 affects the nuxt-modules og-image package, which is used to generate Open Graph (OG) images dynamically using Vue templates within Nuxt applications. Prior to version 6.2.5, the image generation endpoint accessible via /_og/d/ (and /og-image/ in older versions) does not impose any limits on the width and height parameters supplied by the user. This lack of validation allows an attacker to specify extremely large dimensions for the generated images, causing excessive consumption of CPU, memory, and possibly disk resources on the server. The excessive resource usage can lead to Denial of Service (DoS) conditions, where legitimate requests are delayed or dropped due to resource exhaustion. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption). Exploitation requires no authentication or user interaction, making it remotely exploitable over the network. The issue was reproducible using the default configuration and templates, indicating that many deployments could be vulnerable. The vendor addressed this issue in version 6.2.5 by implementing restrictions on the image dimensions to prevent abuse. The CVSS v4.0 base score is 6.9, reflecting a medium severity level due to the impact on availability and ease of exploitation without authentication.

This vulnerability can significantly impact organizations that use the nuxt-modules og-image package for dynamic OG image generation. An attacker can exploit this flaw to launch Denial of Service attacks by requesting images with very large dimensions, causing servers to consume excessive CPU and memory resources. This can degrade application performance, cause outages, or increase operational costs due to resource overuse. Public-facing web services relying on this component are particularly at risk, as the vulnerability can be exploited remotely without authentication or user interaction. The disruption could affect user experience, damage brand reputation, and potentially lead to financial losses. Additionally, if the affected service is part of a larger infrastructure, the DoS condition could cascade, impacting other dependent services. Although no known exploits are currently reported in the wild, the ease of exploitation and lack of mitigations in older versions make this a credible threat.

To mitigate this vulnerability, organizations should immediately upgrade the nuxt-modules og-image package to version 6.2.5 or later, where the issue is patched. If upgrading is not immediately feasible, implement strict input validation and sanitization on the width and height parameters at the application or web server level to enforce maximum allowable dimensions. Rate limiting and request throttling on the image generation endpoints can help reduce the risk of resource exhaustion attacks. Monitoring resource usage and setting alerts for abnormal spikes in CPU or memory consumption related to the image generation service can provide early detection of exploitation attempts. Additionally, consider deploying Web Application Firewalls (WAFs) with custom rules to block suspicious requests targeting the vulnerable endpoints. Regularly review and update dependencies to ensure known vulnerabilities are addressed promptly.