Opening a malicious website while running a Nuxt dev server could allow read-only access to code - @nuxt/vite-builder

Description

Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings.

Recommendation

Update the @nuxt/vite-builder package to the latest compatible version. Followings are version details:

• Affected version(s): >= 3.8.1, < 3.15.3
• Patched version(s): 3.15.3

References

• GHSA-2452-6xj8-jh47
• CVE-2025-24360
• CWE-200
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Opening a malicious website while running a Nuxt dev server could allow read-only access to code - @nuxt/webpack-builder - CVE-2025-24361
• Opening a malicious website while running a Nuxt dev server could allow read-only access to code - CVE-2025-24361
• webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browse - CVE-2025-30360
• webpack-dev-server users' source code may be stolen when they access a malicious web site - CVE-2025-30359

You might also like:

Exploiting Server Version Disclosure

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

@nuxt/vite-builder