CVE-2025-24360
Opening a malicious website while running a Nuxt dev server could allow read-only access to code
Description
### Summary Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. ### Details While Vite patched the default CORS settings to fix https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6, nuxt uses its own CORS handler by default (https://github.com/nuxt/nuxt/pull/23995). https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263 That CORS handler sets `Access-Control-Allow-Origin: *`. > [!IMPORTANT] > If on an affected version, it may be possible to opt-out of the default Nuxt CORS handler by configuring `vite.server.cors`. ### PoC 1. Start a dev server in any nuxt project using Vite by `nuxt dev`. 2. Send a fetch request to `http://localhost:3000/_nuxt/app.vue` (`fetch('http://localhost:3000/_nuxt/app.vue')`) from a different origin page. ### Impact Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites ### Additional Information `/__nuxt_vite_node__/manifest` / `/__nuxt_vite_node__/module` also seems to have `Access-Control-Allow-Origin: *`, so it maybe also possible to exploit that handler. https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39 Although I didn't find a valid module id. Note that this handler is probably also vulnerable to DNS rebinding attacks as I didn't find any host header checks.
How to fix CVE-2025-24360
To remediate CVE-2025-24360, upgrade the affected package to a fixed version below.
- —upgrade to 3.15.3 or later
Is CVE-2025-24360 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 3.8.1, < 3.15.3