GHSA-2452-6xj8-jh47
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2452-6xj8-jh47
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-2452-6xj8-jh47/GHSA-2452-6xj8-jh47.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2452-6xj8-jh47
- Aliases
- Related
- Published
- 2025-01-27T11:31:14Z
- Modified
- 2025-01-27T11:42:14.259722Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Opening a malicious website while running a Nuxt dev server could allow read-only access to code
- Details
-
Summary
Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings.
Details
While Vite patched the default CORS settings to fix https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6, nuxt uses its own CORS handler by default (https://github.com/nuxt/nuxt/pull/23995).
https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263
That CORS handler sets
Access-Control-Allow-Origin: *.[!IMPORTANT]
If on an affected version, it may be possible to opt-out of the default Nuxt CORS handler by configuringvite.server.cors.PoC
- Start a dev server in any nuxt project using Vite by
nuxt dev. - Send a fetch request to
http://localhost:3000/_nuxt/app.vue(fetch('http://localhost:3000/_nuxt/app.vue')) from a different origin page.
Impact
Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites
Additional Information
/__nuxt_vite_node__/manifest//__nuxt_vite_node__/modulealso seems to haveAccess-Control-Allow-Origin: *, so it maybe also possible to exploit that handler. https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39 Although I didn't find a valid module id. Note that this handler is probably also vulnerable to DNS rebinding attacks as I didn't find any host header checks. - Start a dev server in any nuxt project using Vite by
- Database specific
{ "nvd_published_at": "2025-01-25T01:15:24Z", "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-01-27T11:31:14Z" }- References
-
- https://github.com/nuxt/nuxt/security/advisories/GHSA-2452-6xj8-jh47
- https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6
- https://nvd.nist.gov/vuln/detail/CVE-2025-24360
- https://github.com/nuxt/nuxt/pull/23995
- https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f
- https://github.com/nuxt/nuxt
- https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263
- https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39
Affected packages
npm / @nuxt/vite-builder
Package
- Name
- @nuxt/vite-builder
- View open source insights on deps.dev
- Purl
- pkg:npm/%40nuxt/vite-builder