Vite · Vite · CVE-2025-24360
**Name of the Vulnerable Software and Affected Versions**
Nuxt versions 3.8.1 through 3.15.2
**Description**
The issue arises due to default CORS settings in Nuxt, allowing any website to send requests to the development server and read the response. This can lead to source code theft by malicious websites, especially for users with the default `server.cors` option using Vite builder. The vulnerability can be exploited even if the development server is only accessible locally and not exposed to the network. There are three main causes: permissive default CORS settings, lack of validation on the Origin header for WebSocket connections, and lack of validation on the Host header for HTTP requests. These can allow attackers to steal source code, access functionalities not meant to be exposed, and exploit certain plugin functionalities.
**Recommendations**
For Nuxt versions 3.8.1 through 3.15.2, upgrade to version 3.15.3 or later to fix the vulnerability.
If using the backend integration feature, add the origin of the backend server to the `server.cors.origin` option, ensuring a specific origin is set rather than '*'.
If using a reverse proxy in front of Nuxt, add the hostname to the new `server.allowedHosts` option.
If accessing the development server via a domain other than `localhost` or `*.localhost`, add the hostname to the `server.allowedHosts` option.
For users of plugins that connect to the WebSocket server on their own from the browser, try upgrading to a newer version of Nuxt that fixes the vulnerability. If the WebSocket connection appears not to be working, either fix the plugin code to make it compatible with the new version of Nuxt or set `legacy.skipWebSocketTokenCheck: true`, being aware of the security implications.
As a temporary workaround, consider setting `server.cors` to `false` or limiting `server.cors.origin` to trusted origins to mitigate the risk of source code theft.