GHSA-2452-6XJ8-JH47
Vulnerability from github – Published: 2025-01-27 11:31 – Updated: 2025-01-27 11:31Summary
Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings.
Details
While Vite patched the default CORS settings to fix https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6, nuxt uses its own CORS handler by default (https://github.com/nuxt/nuxt/pull/23995).
https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263
That CORS handler sets Access-Control-Allow-Origin: *.
[!IMPORTANT]
If on an affected version, it may be possible to opt-out of the default Nuxt CORS handler by configuringvite.server.cors.
PoC
- Start a dev server in any nuxt project using Vite by
nuxt dev. - Send a fetch request to
http://localhost:3000/_nuxt/app.vue(fetch('http://localhost:3000/_nuxt/app.vue')) from a different origin page.
Impact
Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites
Additional Information
/__nuxt_vite_node__/manifest / /__nuxt_vite_node__/module also seems to have Access-Control-Allow-Origin: *, so it maybe also possible to exploit that handler.
https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39
Although I didn't find a valid module id.
Note that this handler is probably also vulnerable to DNS rebinding attacks as I didn't find any host header checks.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@nuxt/vite-builder"
},
"ranges": [
{
"events": [
{
"introduced": "3.8.1"
},
{
"fixed": "3.15.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24360"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-27T11:31:14Z",
"nvd_published_at": "2025-01-25T01:15:24Z",
"severity": "MODERATE"
},
"details": "### Summary\nNuxt allows any websites to send any requests to the development server and read the response due to default CORS settings.\n\n### Details\nWhile Vite patched the default CORS settings to fix https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6, nuxt uses its own CORS handler by default (https://github.com/nuxt/nuxt/pull/23995).\n\nhttps://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263\n\nThat CORS handler sets `Access-Control-Allow-Origin: *`.\n\n\u003e [!IMPORTANT] \n\u003e If on an affected version, it may be possible to opt-out of the default Nuxt CORS handler by configuring `vite.server.cors`.\n\n### PoC\n1. Start a dev server in any nuxt project using Vite by `nuxt dev`.\n2. Send a fetch request to `http://localhost:3000/_nuxt/app.vue` (`fetch(\u0027http://localhost:3000/_nuxt/app.vue\u0027)`) from a different origin page.\n\n### Impact\nUsers with the default server.cors option using Vite builder may get the source code stolen by malicious websites\n\n### Additional Information\n`/__nuxt_vite_node__/manifest` / `/__nuxt_vite_node__/module` also seems to have `Access-Control-Allow-Origin: *`, so it maybe also possible to exploit that handler.\nhttps://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39\nAlthough I didn\u0027t find a valid module id.\nNote that this handler is probably also vulnerable to DNS rebinding attacks as I didn\u0027t find any host header checks.",
"id": "GHSA-2452-6xj8-jh47",
"modified": "2025-01-27T11:31:15Z",
"published": "2025-01-27T11:31:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-2452-6xj8-jh47"
},
{
"type": "WEB",
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24360"
},
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/pull/23995"
},
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f"
},
{
"type": "PACKAGE",
"url": "https://github.com/nuxt/nuxt"
},
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263"
},
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Opening a malicious website while running a Nuxt dev server could allow read-only access to code"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.