CVE-2026-45670
Undergoing Analysis Undergoing Analysis - In Progress
Source Code Exposure in Nuxt Webpack/Rspack Builder

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.6 and 4.4.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-45670
EUVD
EUVD-2026-36419
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
nuxt webpack_builder From 3.15.4 (inc) to 3.21.6 (exc)
nuxt webpack_builder From 4.0.0-alpha.1 (inc) to 4.4.6 (exc)
nuxt rspack_builder From 3.15.4 (inc) to 3.21.6 (exc)
nuxt rspack_builder From 4.0.0-alpha.1 (inc) to 4.4.6 (exc)
nuxt webpack_builder 3.15.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Nuxt.js framework, specifically its webpack and rspack builders in certain versions. It is an incomplete fix for a previous vulnerability where the development server can expose the source code over a local network if it is bound to a non-loopback address (for example, when running the server with the --host option).

An attacker on the same network can exploit this by hosting a malicious website that loads scripts from the Nuxt development server, thereby stealing the source code during development. This happens because certain security headers like Sec-Fetch-Mode and Sec-Fetch-Site are missing, allowing cross-origin requests that expose the source code.

The vulnerability was patched in Nuxt.js versions 3.21.6 and 4.4.6 by adding checks on the Origin or Referer headers to ensure requests come from trusted sources.

Impact Analysis

This vulnerability can lead to the theft of your source code during development if you run the Nuxt development server bound to a non-loopback address and a malicious actor on the same network hosts a malicious site.

The attacker can load scripts from your development server and extract your source code, potentially exposing proprietary or sensitive code.

This exposure can compromise confidentiality but does not affect integrity or availability.

The vulnerability requires user interaction (visiting a malicious site) and network adjacency, and it has a moderate severity with a CVSS score of 5.9.

  • If you use the default Vite builder or bind the dev server only to localhost, you are not affected.
  • Workarounds include avoiding the use of --host, using SSH or reverse proxies, or using Chromium-based browsers with local network restrictions.
Detection Guidance

This vulnerability occurs when the Nuxt development server is bound to a non-loopback address (e.g., using the command `nuxt dev --host`), exposing source code over the local network. Detection involves checking if the development server is accessible from other devices on the same network and if it serves source code without proper origin validation.

You can detect the vulnerability by attempting to access the development server from another machine on the same network and inspecting the responses for source code exposure.

  • Check if the Nuxt dev server is running with a non-loopback host binding: `ps aux | grep nuxt` or check your start scripts for `--host` usage.
  • From another machine on the same network, try to fetch the Nuxt app script, for example: `curl http://<dev-server-ip>:3000/_nuxt/app.js` and inspect if source code is returned.
  • Use browser developer tools or network sniffers to observe if requests to the dev server lack security headers like `Sec-Fetch-Mode` and `Sec-Fetch-Site`.

Note that the vulnerability requires user interaction and a malicious site on the same network to exploit, so detection also involves monitoring for suspicious cross-origin requests to the dev server.

Mitigation Strategies

To mitigate this vulnerability immediately, you should avoid binding the Nuxt development server to a non-loopback address.

  • Run the development server bound only to localhost by avoiding the `--host` option, e.g., use `nuxt dev` without `--host`.
  • If remote access to the dev server is necessary, use secure methods such as SSH tunnels or reverse proxies that restrict access.
  • Upgrade Nuxt.js to patched versions 3.21.6 or later, or 4.4.6 or later, where the dev-middleware includes proper origin and referer checks.
  • Consider switching to the Vite builder, which is not affected by this vulnerability.
  • Use Chromium-based browsers version 142 or later, which have local network access restrictions that prevent exploitation.
Compliance Impact

This vulnerability allows source code to be stolen during development when the Nuxt dev server is bound to a non-loopback address and a malicious site on the same network is accessed. Such unauthorized disclosure of source code could potentially lead to exposure of sensitive information or intellectual property.

However, the provided information does not explicitly discuss or analyze the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45670. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart