GHSA-2452-6xj8-jh47

Suggest an improvement
Source
https://github.com/advisories/GHSA-2452-6xj8-jh47
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-2452-6xj8-jh47/GHSA-2452-6xj8-jh47.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2452-6xj8-jh47
Aliases
Related
Published
2025-01-27T11:31:14Z
Modified
2025-01-27T11:42:14.259722Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Opening a malicious website while running a Nuxt dev server could allow read-only access to code
Details

Summary

Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings.

Details

While Vite patched the default CORS settings to fix https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6, nuxt uses its own CORS handler by default (https://github.com/nuxt/nuxt/pull/23995).

https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263

That CORS handler sets Access-Control-Allow-Origin: *.

[!IMPORTANT]
If on an affected version, it may be possible to opt-out of the default Nuxt CORS handler by configuring vite.server.cors.

PoC

  1. Start a dev server in any nuxt project using Vite by nuxt dev.
  2. Send a fetch request to http://localhost:3000/_nuxt/app.vue (fetch('http://localhost:3000/_nuxt/app.vue')) from a different origin page.

Impact

Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites

Additional Information

/__nuxt_vite_node__/manifest / /__nuxt_vite_node__/module also seems to have Access-Control-Allow-Origin: *, so it maybe also possible to exploit that handler. https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39 Although I didn't find a valid module id. Note that this handler is probably also vulnerable to DNS rebinding attacks as I didn't find any host header checks.

Database specific
{
    "nvd_published_at": "2025-01-25T01:15:24Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-27T11:31:14Z"
}
References

Affected packages

npm / @nuxt/vite-builder

Package

Name
@nuxt/vite-builder
View open source insights on deps.dev
Purl
pkg:npm/%40nuxt/vite-builder

Affected ranges

Type
SEMVER
Events
Introduced
3.8.1
Fixed
3.15.3