logo

Database

Insecure HTTP methods enabled In @nuxt/webpack-builder

Description

Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)

Summary

This is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network.

Details

The fix for GHSA-4gf7-ff8x-hq99 relied on Sec-Fetch-Mode and Sec-Fetch-Site headers. Because these headers are sent by the browsers only for potentially trustworthy origins, the check is able to bypass for non-potentially trustworthy origins.

Since the attack requires the website to be accessible via a non-potentially trustworthy origin, only apps that are using --host is affected.

PoC

    Create a nuxt project with webpack / rspack builder.

    Run npm run dev

    Open http://localhost:3000

    Run the script below in a web site that has a different origin.

    You can see the source code output in the document and the devtools console.

const script = document.createElement('script')
script.src = 'http://192.168.0.31:3000/_nuxt/app.js' // NOTE: replace with the IP address the dev server listens to
script.addEventListener('load', () => {
  const key = Object.keys(window).find(k => k.startsWith("webpackChunk"))
  for (const page in window[key]) {
    const moduleList = window[key][page][1]
    console.log(moduleList)
...

(This script is the similar with GHSA-4gf7-ff8x-hq99 except for the script.src and the global variable name)

Impact

Users using webpack / rspack builder may get the source code stolen by malicious websites if it uses a predictable host and also is using --host.

This vulnerability does not affect Chrome 142+ (and other Chromium based browsers) users due to the local network access restriction feature.

Patches

Fixed in [email protected] and [email protected] by #35051. The dev-middleware same-origin check now falls back to comparing the request's Origin / Referer host against Host when Sec-Fetch-* headers are absent, closing the non-trustworthy-origin bypass.

The fix only ships for the @nuxt/webpack-builder and @nuxt/rspack-builder packages. The default Vite builder was not affected.

Workarounds

If you cannot upgrade immediately:

    Don't use nuxt dev --host. Bind the dev server to localhost (the default) and tunnel from other devices via SSH or a reverse proxy that enforces same-origin checks.

    Use Chrome 142+ or another Chromium-based browser that enforces local network access restrictions.

    Switch to the Vite builder for development.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-456702. NVD-2026-456703. OSV-2026-456704. GHSA-6m52-m754-pw2g5. GCVE-2026-45670

References

1. https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g2. https://github.com/nuxt/nuxt/pull/35051

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.