CVE-2026-49993
Undergoing Analysis Undergoing Analysis - In Progress
Source Code Exposure in Nuxt.js Webpack/Rspack Builders

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.7 and 4.4.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-49993
EUVD
EUVD-2026-36421
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
nuxt rspack-builder From 3.15.4 (inc) to 3.21.7 (exc)
nuxt webpack-builder From 3.15.4 (inc) to 3.21.7 (exc)
nuxt rspack-builder From 4.0.0 (inc) to 4.4.7 (exc)
nuxt webpack-builder From 4.0.0 (inc) to 4.4.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

If you run the Nuxt.js development server bound to a non-loopback address (e.g., using nuxt dev --host), an attacker on the same network can exploit this vulnerability to steal your application's source code during development.

The attacker can bypass same-origin protections by suppressing security headers and then access the source code via browser mechanisms like window.webpackChunk*. This could lead to exposure of proprietary or sensitive code before deployment.

This vulnerability does not affect production builds or servers bound to localhost. It mainly impacts development environments where the server is exposed on the local network.

Executive Summary

CVE-2026-49993 is a security vulnerability in Nuxt.js's webpack and rspack development servers. It occurs when the dev server is bound to a non-loopback address (such as when using the --host option) and the usual security headers (Sec-Fetch-Site, Origin, or Referer) are missing from requests. In this scenario, the same-origin check can be bypassed, allowing a malicious site on the same network to steal the source code during development.

The root cause was an incomplete fix for a previous vulnerability, where the server incorrectly allowed all requests without these headers. The fix requires the dev server to be bound to a loopback host (localhost, 127.0.0.1, or ::1) when these headers are absent, preventing unauthorized cross-origin requests.

Detection Guidance

This vulnerability occurs when the Nuxt development server is bound to a non-loopback address (e.g., using `nuxt dev --host`) and the Sec-Fetch-Site, Origin, and Referer headers are missing from requests, allowing potential cross-origin attacks. Detection involves checking if your dev server is running on a non-loopback interface and if requests without these headers are accepted.

You can detect this by monitoring network traffic to your dev server and inspecting HTTP request headers for missing Sec-Fetch-Site, Origin, and Referer headers. Additionally, verify if the dev server is bound to a non-loopback address.

  • Use netstat or ss to check the listening addresses of your dev server, e.g., `netstat -tuln | grep <dev-server-port>` or `ss -tuln | grep <dev-server-port>`.
  • Use curl or similar tools to send requests without the Sec-Fetch-Site, Origin, and Referer headers to the dev server and observe if the source code or webpack chunks are accessible, e.g.: `curl -H "Sec-Fetch-Site:" -H "Origin:" -H "Referer:" http://<dev-server-ip>:<port>/`.
  • Monitor browser developer tools or network proxies to detect requests missing these headers accessing the dev server.
Mitigation Strategies

To mitigate this vulnerability immediately, ensure that your Nuxt development server is bound only to loopback addresses (localhost, 127.0.0.1, or ::1) rather than non-loopback addresses.

Avoid using the `--host` or `--host 0.0.0.0` options when running the dev server, as these expose it to the network and increase risk.

Upgrade your Nuxt packages (@nuxt/webpack-builder and @nuxt/rspack-builder) to versions 3.21.7 or later, or 4.4.7 or later, where this vulnerability has been patched.

Alternatively, use a Chromium-based browser version 142 or later, which includes Local Network Access restrictions that help protect against this attack.

Consider switching to the Vite builder instead of webpack or rspack builders during development to avoid this issue.

Compliance Impact

This vulnerability allows a malicious actor on the same network to steal the built source code of a Nuxt.js application during development if the dev server is bound to a non-loopback address. Such unauthorized access to source code could potentially lead to exposure of sensitive information or intellectual property.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the exposure of source code and potential data leakage during development could pose risks to confidentiality requirements mandated by these regulations.

Organizations subject to these regulations should ensure that development environments are properly secured, for example by binding the dev server to localhost or using patched versions of the affected packages, to prevent unauthorized access and maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49993. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart