CVE-2024-23657

Name of the Vulnerable Software and Affected Versions Nuxt Devtools versions prior to 1.3.9

Description The issue arises from missing authentication on the getTextAssetContent RPC function, which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker can interact with a locally running devtools instance and exfiltrate data. In certain configurations, an attacker could leak the devtools authentication token and then abuse other RPC functions to achieve remote code execution (RCE). The getTextAssetContent function does not check for path traversals, allowing an attacker to read arbitrary files over the RPC WebSocket. The WebSocket server does not check the origin of the request, leading to cross-site-websocket-hijacking. Nuxt Devtools authentication tokens are placed within the home directory of the current user. A malicious webpage can connect to the Devtools WebSocket, perform a directory traversal brute force to find the authentication token, and then use the authenticated writeStaticAssets function to create a new Component, Nitro Handler, or app.vue file, which will run automatically as the file is changed.

Recommendations For versions prior to 1.3.9, upgrade to release version 1.3.9 to address the vulnerability. As a temporary workaround, consider disabling the getTextAssetContent function and restricting access to the Devtools WebSocket to minimize the risk of exploitation. Avoid using the writeStaticAssets function in the affected API endpoint until the issue is resolved. Restrict access to the vulnerable app.vue file to prevent automatic execution of malicious code.