Opening a malicious website while running a Nuxt dev server could allow read-only access to code (GHSA-2452-6xj8-jh47)
- Severity:
- Medium
Description
Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings.
Recommendation
Update the @nuxt/vite-builder package to the latest compatible version. Followings are version details:
- Affected version(s): >= 3.8.1, < 3.15.3
- Patched version(s): 3.15.3
References
Related Issues
- @octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - CVE-2025-25285
- Opening a malicious website while running a Nuxt dev server could allow read-only access to code (GHSA-4gf7-ff8x-hq99) - CVE-2025-24361
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- @nuxt/vite-builder
Anything's wrong? Let us know Last updated on January 27, 2025