CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-24360: Opening a malicious website while running a Nuxt dev server could allow read-only access to code

5.3 CVSS

Description

Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites. Version 3.15.3 fixes the vulnerability.

Classification

CVE ID: CVE-2025-24360

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Affected Products

Vendor: nuxt

Product: nuxt

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.85% (scored less or equal to compared to others)

EPSS Date: 2025-03-13 (when was this score calculated)

References

https://github.com/nuxt/nuxt/security/advisories/GHSA-2452-6xj8-jh47
https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6
https://github.com/nuxt/nuxt/pull/23995
https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f
https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263
https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39

Timeline

2025-01-27 12:15:20 UTC
Github Advisory Database (NPM)

[@nuxt/vite-builder] Opening a malicious website while running a Nuxt dev server could allow read-only access to code
2025-02-13 00:33:16 UTC
CVE

Opening a malicious website while running a Nuxt dev server could allow read-only access to code