CVE-2025-24361

Name of the Vulnerable Software and Affected Versions Nuxt versions 3.0.0 through 3.15.12 Nuxt versions 3.12.2 through 3.152

Description Source code may be stolen during development when using the webpack or rspack builder and a victim opens a malicious website. Because the request for classic script by a script tag is not subject to the same origin policy, an attacker can inject a malicious script in their site and run the script. By using Function::toString against the values in window.webpackChunknuxt app, the attacker can get the source code.

Recommendations For Nuxt versions 3.0.0 through 3.15.12, update to version 3.15.13 to patch the issue. For Nuxt versions 3.12.2 through 3.152, update to version 3.15.13 to patch the issue. As a temporary workaround, consider restricting access to the window.webpackChunknuxt app values to minimize the risk of exploitation. Avoid using the Function::toString method against the values in window.webpackChunknuxt app until the issue is resolved.