VYPR
← All advisories
Medium severity5.3OSV Advisory· Published Jan 25, 2025· Updated Apr 15, 2026

CVE-2025-24360

CVE-2025-24360

Description

Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites. Version 3.15.3 fixes the vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nuxt default CORS settings allow any website to send requests to the dev server, risking source code theft; fixed in v3.15.3.

CVE-2025-24360 is a vulnerability in the Nuxt web framework that arises from permissive default CORS settings in the Vite-based development server. Starting from version 3.8.1 and prior to 3.15.3, Nuxt does not restrict cross-origin requests, allowing any website to send arbitrary requests to the dev server and read the responses. This is due to the default server.cors option being overly permissive, effectively trusting any origin [1][2].

Exploitation of this vulnerability does not require authentication or any special network position; any malicious website visited by a developer running a Nuxt dev server can send requests to it. The attack is particularly dangerous because even if the dev server is only accessible on localhost, a website can still make cross-origin requests from a browser, and the server will respond due to the lack of origin validation. This is identical to a Vite vulnerability (GHSA-vg6x-rcgg-rjx6) that affects the underlying builder [1].

An attacker can leverage this to exfiltrate sensitive information, including source code, environment variables, or other data served by the dev server. Since the dev server often has access to the full project files, this could lead to significant data disclosure. The vulnerability has a CVSS v3 score of 5.3 (Medium) [2].

The fix was introduced in Nuxt version 3.15.3, which adds a default CORS origin that restricts access to localhost, 127.0.0.1, and [::1] [3]. Users should upgrade to the patched version or manually configure server.cors.origin to restrict allowed origins. For those unable to upgrade, following the Vite advisory's workarounds (e.g., setting a specific origin) can mitigate the risk [1].

References
  1. Any websites were able to send any requests to the development server and read the response
  2. NVD - CVE-2025-24360
  3. fix(vite,webpack): restrict access via cors to local origins + allow … · nuxt/nuxt@7eeb910

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@nuxt/vite-buildernpm
>= 3.8.1, < 3.15.33.15.3

Affected products

1
  • Nuxt/NuxtOSV
    Range: v3.10.0, v3.10.1, v3.10.2, …

Patches

2
048f974eba45
https://github.com/nuxt/nuxtvia osv
commit
7eeb910bf4ac

fix(vite,webpack): restrict access via cors to local origins + allow configuration via `devServer.cors`

https://github.com/nuxt/nuxtDaniel RoeJan 24, 2025via ghsa
commit
3 files changed · +22 7
  • packages/schema/src/config/dev.ts+8 0 modified
    @@ -39,5 +39,13 @@ export default defineUntypedSchema({
      * @type {(data: { loading?: string }) => string}
      */
     loadingTemplate,
+
+    /**
+     * Set CORS options for the dev server
+     * @type {typeof import('h3').H3CorsOptions}
+     */
+    cors: {
+      origin: [/^https?:\/\/(?:(?:[^:]+\.)?localhost|127\.0\.0\.1|\[::1\])(?::\d+)?$/],
+    },
   },
 })
  • packages/vite/src/client.ts+4 4 modified
    @@ -9,7 +9,7 @@ import { getPort } from 'get-port-please'
 import { joinURL, withoutLeadingSlash } from 'ufo'
 import { defu } from 'defu'
 import { env, nodeless } from 'unenv'
-import { appendCorsHeaders, appendCorsPreflightHeaders, defineEventHandler } from 'h3'
+import { defineEventHandler, handleCors, setHeader } from 'h3'
 import type { ViteConfig } from '@nuxt/schema'
 import type { ViteBuildContext } from './vite'
 import { devStyleSSRPlugin } from './plugins/dev-ssr-css'
@@ -255,11 +255,11 @@ export async function buildClient (ctx: ViteBuildContext) {
         // @ts-expect-error _skip_transform is a private property
         event.node.req._skip_transform = true
       } else if (!useViteCors) {
-        if (event.method === 'OPTIONS') {
-          appendCorsPreflightHeaders(event, {})
+        const isPreflight = handleCors(event, ctx.nuxt.options.devServer.cors)
+        if (isPreflight) {
           return null
         }
-        appendCorsHeaders(event, {})
+        setHeader(event, 'Vary', 'Origin')
       }
 
       // Workaround: vite devmiddleware modifies req.url
  • packages/webpack/src/webpack.ts+10 3 modified
    @@ -1,6 +1,7 @@
 import pify from 'pify'
 import { resolve } from 'pathe'
-import { defineEventHandler, fromNodeMiddleware } from 'h3'
+import { defineEventHandler, fromNodeMiddleware, handleCors, setHeader } from 'h3'
+import type { H3CorsOptions } from 'h3'
 import type { IncomingMessage, MultiWatching, ServerResponse } from 'webpack-dev-middleware'
 import webpackDevMiddleware from 'webpack-dev-middleware'
 import webpackHotMiddleware from 'webpack-hot-middleware'
@@ -125,7 +126,7 @@ async function createDevMiddleware (compiler: Compiler) {
   })
 
   // Register devMiddleware on server
-  const devHandler = wdmToH3Handler(devMiddleware)
+  const devHandler = wdmToH3Handler(devMiddleware, nuxt.options.devServer.cors)
   const hotHandler = fromNodeMiddleware(hotMiddleware)
   await nuxt.callHook('server:devHandler', defineEventHandler(async (event) => {
     const body = await devHandler(event)
@@ -139,8 +140,14 @@ async function createDevMiddleware (compiler: Compiler) {
 }
 
 // TODO: implement upstream in `webpack-dev-middleware`
-function wdmToH3Handler (devMiddleware: webpackDevMiddleware.API<IncomingMessage, ServerResponse>) {
+function wdmToH3Handler (devMiddleware: webpackDevMiddleware.API<IncomingMessage, ServerResponse>, corsOptions: H3CorsOptions) {
   return defineEventHandler(async (event) => {
+    const isPreflight = handleCors(event, corsOptions)
+    if (isPreflight) {
+      return null
+    }
+    setHeader(event, 'Vary', 'Origin')
+
     event.context.webpack = {
       ...event.context.webpack,
       devMiddleware: devMiddleware.context,

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.