Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings.
While Vite patched the default CORS settings to fix https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6, nuxt uses its own CORS handler by default (https://github.com/nuxt/nuxt/pull/23995).
https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263
That CORS handler sets Access-Control-Allow-Origin: *
.
[!IMPORTANT]
If on an affected version, it may be possible to opt-out of the default Nuxt CORS handler by configuringvite.server.cors
.
nuxt dev
.http://localhost:3000/_nuxt/app.vue
(fetch('http://localhost:3000/_nuxt/app.vue')
) from a different origin page.Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites
/__nuxt_vite_node__/manifest
/ /__nuxt_vite_node__/module
also seems to have Access-Control-Allow-Origin: *
, so it maybe also possible to exploit that handler.
https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39
Although I didn't find a valid module id.
Note that this handler is probably also vulnerable to DNS rebinding attacks as I didn't find any host header checks.
{ "nvd_published_at": "2025-01-25T01:15:24Z", "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-01-27T11:31:14Z" }