Description
Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.6 and 4.4.6.
Published: 2026-06-12
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in Nuxt’s dev server configuration when built with @nuxt/rspack-builder or @nuxt/webpack-builder between version 3.15.4 and before 3.21.6, and between 4.0.0-alpha.1 and before 4.4.6. When the server is bound to a non‑loopback address, an attacker on the same local area network can request the compiled source files exposed by the dev server, enabling theft of potentially confidential code. Although the vulnerability does not provide direct code‑execution capabilities, it represents a moderate confidentiality breach, reflected in a CVSS score of 5.9 and categorized under CWE‑749.

Affected Systems

Nuxt is affected. Specifically, the Vue.js development framework vendor identified as nuxt:nuxt, including the @nuxt/rspack-builder and @nuxt/webpack-builder modules. Affected releases are those ranging from 3.15.4 up to (but not including) 3.21.6, and from 4.0.0-alpha.1 up to (but not including) 4.4.6. All versions before the patch contain the incomplete fix for the referenced GHSA issue.

Risk and Exploitability

Because the exploit requires an attacker to be on the same local network and the server must be listening on a non‑loopback interface, the risk of exploitation is moderate, reflected by a low EPSS score of less than 1% and absence from the CISA KEV catalog. The CVSS score of 5.9 indicates a medium severity impact for confidentiality. The patch mitigates the exposure by ensuring the dev server does not serve source files over external interfaces.

Generated by OpenCVE AI on June 12, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nuxt to a patched release (3.21.6 or later, or 4.4.6 or later).
  • If an upgrade is not immediately possible, configure the development server to bind only to localhost by specifying --host 127.0.0.1 or disabling external host binding.
  • Keep the development environment isolated from untrusted networks or enforce firewall rules to prevent external access to the dev server.

Generated by OpenCVE AI on June 12, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6m52-m754-pw2g Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)
History

Fri, 12 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Nuxt
Nuxt nuxt
Vendors & Products Nuxt
Nuxt nuxt

Fri, 12 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.6 and 4.4.6.
Title Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)
Weaknesses CWE-749
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nuxt Nuxt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T14:18:09.794Z

Reserved: 2026-05-12T21:59:25.666Z

Link: CVE-2026-45670

cve-icon Vulnrichment

Updated: 2026-06-12T14:17:11.165Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T14:16:31.443

Modified: 2026-06-12T16:01:25.477

Link: CVE-2026-45670

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:00:09Z

Weaknesses
  • CWE-749

    Exposed Dangerous Method or Function