CVE-2025-52662
Description
A vulnerability in Nuxt DevTools has been fixed in version 2.6.4*. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade.
More details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A cross-site scripting vulnerability in Nuxt DevTools allows authentication token theft and remote code execution in development environments; fixed in version 2.6.4.
Vulnerability
Overview
The vulnerability in Nuxt DevTools (CVE-2025-52662) stems from a DOM-based cross-site scripting (XSS) flaw in the authentication page. Error messages are rendered using innerHTML without proper sanitization, allowing an attacker to inject arbitrary JavaScript [4]. This is part of a vulnerability chain that also includes a path traversal issue in the WebSocket message handler.
Exploitation
An attacker can exploit the XSS to steal Nuxt authentication tokens from a developer's session. With these tokens, the attacker can leverage a path traversal vulnerability in the WebSocket handler to write arbitrary files outside the intended directory. This combination enables remote code execution (RCE) in the development environment [4]. The attack requires the developer to visit a malicious page while Nuxt DevTools is active, but no additional authentication is needed beyond the stolen token.
Impact
Successful exploitation allows an attacker to execute arbitrary code on the developer's machine, potentially compromising sensitive data, source code, or credentials. The impact is particularly severe in development environments where DevTools is commonly enabled and may be exposed to untrusted networks [4].
Mitigation
The issue is fixed in Nuxt DevTools version 2.6.4, where error messages are now rendered as textContent instead of innerHTML [3][4]. Users are strongly advised to upgrade immediately. As a workaround, avoid publicly exposing Nuxt DevTools and do not run Nuxt in production mode with DevTools enabled [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@nuxt/devtoolsnpm | < 2.6.4 | 2.6.4 |
Affected products
2- Range: <2.6.4
- Vercel/Nuxt Devtoolsv5Range: 2.6.3
Patches
17cadbbe9fix: using `textContent` instead of `innerHtml` for auth pagechore: update lock
1 file changed · +3 −3
packages/devtools/src/runtime/auth/index.html+3 −3 modified@@ -50,7 +50,7 @@ const el = document.getElementById('message') if (!token) { - el.innerHTML = '⚠️ No token found, please double check your URL.' + el.textContent = '⚠️ No token found, please double check your URL.' el.style.color = '#df513f' } else { fetch(`${location.pathname.split(/\//g).slice(0, -1).join('/')}/auth-verify?token=${token}`) @@ -65,11 +65,11 @@ data: token, }) - el.innerHTML = '✅ Authorized! You can close this window now.' + el.textContent = '✅ Authorized! You can close this window now.' window.close() }) .catch((err) => { - el.innerHTML = `⚠️ Failed to authorize: ${err.message}` + el.textContent = `⚠️ Failed to authorize: ${err.message}` el.style.color = '#df513f' }) }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.