CVE-2025-24360

Name of the Vulnerable Software and Affected Versions Nuxt versions 3.8.1 through 3.15.2

Description The issue arises due to default CORS settings in Nuxt, allowing any website to send requests to the development server and read the response. This can lead to source code theft by malicious websites, especially for users with the default server.cors option using Vite builder. The vulnerability can be exploited even if the development server is only accessible locally and not exposed to the network. There are three main causes: permissive default CORS settings, lack of validation on the Origin header for WebSocket connections, and lack of validation on the Host header for HTTP requests. These can allow attackers to steal source code, access functionalities not meant to be exposed, and exploit certain plugin functionalities.

Recommendations For Nuxt versions 3.8.1 through 3.15.2, upgrade to version 3.15.3 or later to fix the vulnerability. If using the backend integration feature, add the origin of the backend server to the server.cors.origin option, ensuring a specific origin is set rather than '*'. If using a reverse proxy in front of Nuxt, add the hostname to the new server.allowedHosts option. If accessing the development server via a domain other than localhost or *.localhost, add the hostname to the server.allowedHosts option. For users of plugins that connect to the WebSocket server on their own from the browser, try upgrading to a newer version of Nuxt that fixes the vulnerability. If the WebSocket connection appears not to be working, either fix the plugin code to make it compatible with the new version of Nuxt or set legacy.skipWebSocketTokenCheck: true, being aware of the security implications. As a temporary workaround, consider setting server.cors to false or limiting server.cors.origin to trusted origins to mitigate the risk of source code theft.