VYPR
Get started
← All advisories
Medium severity5.3NVD Advisory· Published Jan 25, 2025· Updated Apr 15, 2026

CVE-2025-24361

CVE-2025-24361

Description

Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using Function::toString against the values in window.webpackChunknuxt_app, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@nuxt/webpack-buildernpm
>= 3.0.0, < 3.15.33.15.3
@nuxt/rspack-buildernpm
>= 3.12.2, < 3.15.33.15.3

Patches

2
048f974eba45
https://github.com/nuxt/nuxtvia osv
7eeb910bf4ac

fix(vite,webpack): restrict access via cors to local origins + allow configuration via `devServer.cors`

https://github.com/nuxt/nuxtDaniel RoeJan 24, 2025via ghsa
commit
3 files changed · +22 7
  • packages/schema/src/config/dev.ts+8 0 modified
    @@ -39,5 +39,13 @@ export default defineUntypedSchema({
      * @type {(data: { loading?: string }) => string}
      */
     loadingTemplate,
+
+    /**
+     * Set CORS options for the dev server
+     * @type {typeof import('h3').H3CorsOptions}
+     */
+    cors: {
+      origin: [/^https?:\/\/(?:(?:[^:]+\.)?localhost|127\.0\.0\.1|\[::1\])(?::\d+)?$/],
+    },
   },
 })
  • packages/vite/src/client.ts+4 4 modified
    @@ -9,7 +9,7 @@ import { getPort } from 'get-port-please'
 import { joinURL, withoutLeadingSlash } from 'ufo'
 import { defu } from 'defu'
 import { env, nodeless } from 'unenv'
-import { appendCorsHeaders, appendCorsPreflightHeaders, defineEventHandler } from 'h3'
+import { defineEventHandler, handleCors, setHeader } from 'h3'
 import type { ViteConfig } from '@nuxt/schema'
 import type { ViteBuildContext } from './vite'
 import { devStyleSSRPlugin } from './plugins/dev-ssr-css'
@@ -255,11 +255,11 @@ export async function buildClient (ctx: ViteBuildContext) {
         // @ts-expect-error _skip_transform is a private property
         event.node.req._skip_transform = true
       } else if (!useViteCors) {
-        if (event.method === 'OPTIONS') {
-          appendCorsPreflightHeaders(event, {})
+        const isPreflight = handleCors(event, ctx.nuxt.options.devServer.cors)
+        if (isPreflight) {
           return null
         }
-        appendCorsHeaders(event, {})
+        setHeader(event, 'Vary', 'Origin')
       }
 
       // Workaround: vite devmiddleware modifies req.url
  • packages/webpack/src/webpack.ts+10 3 modified
    @@ -1,6 +1,7 @@
 import pify from 'pify'
 import { resolve } from 'pathe'
-import { defineEventHandler, fromNodeMiddleware } from 'h3'
+import { defineEventHandler, fromNodeMiddleware, handleCors, setHeader } from 'h3'
+import type { H3CorsOptions } from 'h3'
 import type { IncomingMessage, MultiWatching, ServerResponse } from 'webpack-dev-middleware'
 import webpackDevMiddleware from 'webpack-dev-middleware'
 import webpackHotMiddleware from 'webpack-hot-middleware'
@@ -125,7 +126,7 @@ async function createDevMiddleware (compiler: Compiler) {
   })
 
   // Register devMiddleware on server
-  const devHandler = wdmToH3Handler(devMiddleware)
+  const devHandler = wdmToH3Handler(devMiddleware, nuxt.options.devServer.cors)
   const hotHandler = fromNodeMiddleware(hotMiddleware)
   await nuxt.callHook('server:devHandler', defineEventHandler(async (event) => {
     const body = await devHandler(event)
@@ -139,8 +140,14 @@ async function createDevMiddleware (compiler: Compiler) {
 }
 
 // TODO: implement upstream in `webpack-dev-middleware`
-function wdmToH3Handler (devMiddleware: webpackDevMiddleware.API<IncomingMessage, ServerResponse>) {
+function wdmToH3Handler (devMiddleware: webpackDevMiddleware.API<IncomingMessage, ServerResponse>, corsOptions: H3CorsOptions) {
   return defineEventHandler(async (event) => {
+    const isPreflight = handleCors(event, corsOptions)
+    if (isPreflight) {
+      return null
+    }
+    setHeader(event, 'Vary', 'Origin')
+
     event.context.webpack = {
       ...event.context.webpack,
       devMiddleware: devMiddleware.context,

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.