Nuxt DevTools vulnerable to cross-site scripting (XSS)

Severity:: Medium

Description

A vulnerability in Nuxt DevTools has been fixed in version 2.6.4*. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade.

Recommendation

Update the @nuxt/devtools package to the latest compatible version. Followings are version details:

Affected version(s): < 2.6.4
Patched version(s): 2.6.4

References

GHSA-xmq3-q5pm-rp26
vercel.com
CVE-2025-52662
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

@tiptap/extension-link vulnerable to Cross-site Scripting (XSS) - CVE-2025-14284
jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
Bootstrap vulnerable to Cross-Site Scripting (XSS) - CVE-2018-14040

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:: npm; @nuxt/devtools

Anything's wrong? Let us know Last updated on November 07, 2025