Skip to main content

Nuxt CVE-2026-56301

| EUVDEUVD-2026-38436 MEDIUM
Incorrect Default Permissions (CWE-276)
2026-06-23 VulnCheck GHSA-2x6f-57hp-86fx
6.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.5 MEDIUM

Local low-privilege access required to reach the dev-only abstract socket; high confidentiality impact from arbitrary file read; no integrity or availability impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 23, 2026 - 13:10 vuln.today
Analysis Generated
Jun 23, 2026 - 13:10 vuln.today
CVE Published
Jun 23, 2026 - 12:13 cve.org
MEDIUM 6.8

DescriptionCVE.org

Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit the unprotected module request handler to read arbitrary files such as .env and SSH keys through the SSR plugin pipeline. Production builds are unaffected, as the IPC server runs only in development.

AnalysisAI

Nuxt's development server on Linux exposes an unprotected vite-node IPC server via a Linux abstract-namespace Unix socket, enabling unprivileged co-resident users to read arbitrary files - including .env secrets and SSH private keys - through the SSR module pipeline. Affected are Nuxt 4.0.0 through 4.4.6 and Nuxt 3.18.0 through 3.21.6 when running nuxt dev on Linux with Node.js 20+, outside Docker or StackBlitz. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege shell on shared Linux host
Delivery
Read /proc/net/unix to enumerate abstract socket
Exploit
Connect to \0nuxt-vite-node socket
Execution
Send crafted module IPC request with target file path
Persist
Nuxt SSR fetchModule() returns file contents
Impact
Exfiltrate .env secrets or SSH keys

Vulnerability AssessmentAI

Exploitation Three concrete conditions must all be true: (1) a developer is actively running `nuxt dev` - the vulnerable IPC server exists only during development, not in production builds; (2) the host is Linux with Node.js 20+ and the dev process is not running inside Docker or StackBlitz (both environments forced the safe filesystem-socket code path even in vulnerable versions); (3) the attacker holds a local, authenticated (PR:L) shell account on the same host and can read `/proc/net/unix` to enumerate the abstract socket name. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) accurately characterizes the threat: local access with low privileges, no special attack conditions, and high confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged shell account on a shared CI runner or lab machine reads `/proc/net/unix` to identify the abstract-namespace socket created by a co-resident developer's active `nuxt dev` process. Using a simple Node.js or Python script to connect to the socket, the attacker sends a crafted `module` IPC message with a `moduleId` targeting `/home/victim/project/.env?raw`, and the Nuxt SSR pipeline returns the file contents verbatim. …
Remediation The definitive fix is to upgrade to nuxt@4.4.7 (for 4.x users) or nuxt@3.21.7 (for 3.x users) via `npm install nuxt@4.4.7` or `npm install nuxt@3.21.7`. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Nuxt

View all
CVE-2023-3224 CRITICAL POC
9.8 Jun 13

Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2024-34344 HIGH POC
8.8 Aug 05

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated high seve

CVE-2024-23657 HIGH POC
8.8 Aug 05

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated high seve

CVE-2024-42352 HIGH POC
7.5 Aug 05

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated high seve

CVE-2024-34343 MEDIUM POC
6.1 Aug 05

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated medium se

CVE-2023-0878 MEDIUM POC
6.1 Feb 17

Cross-site Scripting (XSS) - Generic in GitHub repository nuxt/framework prior to 3.2.1. Rated medium severity (CVSS 6.1

CVE-2023-2138 CRITICAL
9.8 Apr 18

Use of Hard-coded Credentials in GitHub repository nuxtlabs/github-module prior to 1.6.2. Rated critical severity (CVSS

CVE-2026-41248 CRITICAL
9.1 Apr 24

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @c

CVE-2026-53721 HIGH
8.8 Jun 12

Route-rule middleware bypass in Nuxt 3.11.0-3.21.6 and 4.0.0-4.4.6 allows remote attackers to evade routeRules-defined p

CVE-2025-27415 HIGH
7.5 Mar 19

Nuxt is an open-source web development framework for Vue.js. Rated high severity (CVSS 7.5), this vulnerability is remot

CVE-2025-59414 LOW POC
3.1 Sep 17

Nuxt is an open-source web development framework for Vue.js. Rated low severity (CVSS 3.1), this vulnerability is remote

CVE-2026-49993 MEDIUM POC
5.9 Jun 12

Source code exfiltration in Nuxt's @nuxt/webpack-builder and @nuxt/rspack-builder (versions 3.15.4-3.21.6 and 4.0.0-alph

Share

CVE-2026-56301 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy