Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local low-privilege access required to reach the dev-only abstract socket; high confidentiality impact from arbitrary file read; no integrity or availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit the unprotected module request handler to read arbitrary files such as .env and SSH keys through the SSR plugin pipeline. Production builds are unaffected, as the IPC server runs only in development.
AnalysisAI
Nuxt's development server on Linux exposes an unprotected vite-node IPC server via a Linux abstract-namespace Unix socket, enabling unprivileged co-resident users to read arbitrary files - including .env secrets and SSH private keys - through the SSR module pipeline. Affected are Nuxt 4.0.0 through 4.4.6 and Nuxt 3.18.0 through 3.21.6 when running nuxt dev on Linux with Node.js 20+, outside Docker or StackBlitz. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three concrete conditions must all be true: (1) a developer is actively running `nuxt dev` - the vulnerable IPC server exists only during development, not in production builds; (2) the host is Linux with Node.js 20+ and the dev process is not running inside Docker or StackBlitz (both environments forced the safe filesystem-socket code path even in vulnerable versions); (3) the attacker holds a local, authenticated (PR:L) shell account on the same host and can read `/proc/net/unix` to enumerate the abstract socket name. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) accurately characterizes the threat: local access with low privileges, no special attack conditions, and high confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged shell account on a shared CI runner or lab machine reads `/proc/net/unix` to identify the abstract-namespace socket created by a co-resident developer's active `nuxt dev` process. Using a simple Node.js or Python script to connect to the socket, the attacker sends a crafted `module` IPC message with a `moduleId` targeting `/home/victim/project/.env?raw`, and the Nuxt SSR pipeline returns the file contents verbatim. … |
| Remediation | The definitive fix is to upgrade to nuxt@4.4.7 (for 4.x users) or nuxt@3.21.7 (for 3.x users) via `npm install nuxt@4.4.7` or `npm install nuxt@3.21.7`. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3. Rated critical severity (CVSS 9.8), this vulnerability is
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated high seve
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated high seve
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated high seve
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated medium se
Cross-site Scripting (XSS) - Generic in GitHub repository nuxt/framework prior to 3.2.1. Rated medium severity (CVSS 6.1
Use of Hard-coded Credentials in GitHub repository nuxtlabs/github-module prior to 1.6.2. Rated critical severity (CVSS
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @c
Route-rule middleware bypass in Nuxt 3.11.0-3.21.6 and 4.0.0-4.4.6 allows remote attackers to evade routeRules-defined p
Nuxt is an open-source web development framework for Vue.js. Rated high severity (CVSS 7.5), this vulnerability is remot
Nuxt is an open-source web development framework for Vue.js. Rated low severity (CVSS 3.1), this vulnerability is remote
Source code exfiltration in Nuxt's @nuxt/webpack-builder and @nuxt/rspack-builder (versions 3.15.4-3.21.6 and 4.0.0-alph
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38436
GHSA-2x6f-57hp-86fx