Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)
- Severity:
- Medium
Description
This is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network.
Recommendation
Update the @nuxt/rspack-builder package to the latest compatible version. Followings are version details:
Affected version(s): **>= 4.0.0-alpha.1, <= 4.4.5 >= 3.15.4, <= 3.21.5** Patched version(s): **4.4.6 3.21.6**
References
Related Issues
- Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99) - @nuxt/webpack-builder - CVE-2026-45670
- Opening a malicious website while running a Nuxt dev server could allow read-only access to code - CVE-2025-24361
- webpack-dev-server users' source code may be stolen when they access a malicious web site - CVE-2025-30359
- Opening a malicious website while running a Nuxt dev server could allow read-only access to code - @nuxt/vite-builder - CVE-2025-24360
You might also like:
- Tags:
- npm
- @nuxt/rspack-builder
Anything's wrong? Let us know Last updated on May 19, 2026