logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-24360 @nuxt/vite-builder

Package

Manager: npm
Name: @nuxt/vite-builder
Vulnerable Version: >=3.8.1 <3.15.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00121 pctl0.31871

Details

Opening a malicious website while running a Nuxt dev server could allow read-only access to code ### Summary Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. ### Details While Vite patched the default CORS settings to fix https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6, nuxt uses its own CORS handler by default (https://github.com/nuxt/nuxt/pull/23995). https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263 That CORS handler sets `Access-Control-Allow-Origin: *`. > [!IMPORTANT] > If on an affected version, it may be possible to opt-out of the default Nuxt CORS handler by configuring `vite.server.cors`. ### PoC 1. Start a dev server in any nuxt project using Vite by `nuxt dev`. 2. Send a fetch request to `http://localhost:3000/_nuxt/app.vue` (`fetch('http://localhost:3000/_nuxt/app.vue')`) from a different origin page. ### Impact Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites ### Additional Information `/__nuxt_vite_node__/manifest` / `/__nuxt_vite_node__/module` also seems to have `Access-Control-Allow-Origin: *`, so it maybe also possible to exploit that handler. https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39 Although I didn't find a valid module id. Note that this handler is probably also vulnerable to DNS rebinding attacks as I didn't find any host header checks.

Metadata

Created: 2025-01-27T11:31:14Z
Modified: 2025-01-27T11:31:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-2452-6xj8-jh47/GHSA-2452-6xj8-jh47.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-2452-6xj8-jh47
Finding: F308
Auto approve: 1