Description
Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.7 and 4.4.7.
Published: 2026-06-12
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability results from an incomplete fix of a previously known issue (GHSA-6m52-m754-pw2g). In affected Nuxt versions the development server performs a same‑origin check that is bypassed when the Sec‑Fetch‑Site, Origin, and Referer headers are all absent. When a developer runs nuxt dev bound to a non‑loopback address (for example by specifying --host) and a malicious site on the same local network accesses the dev server, the server accepts the request and can serve source code files. This leads to unauthorized disclosure of source code during development, impacting the confidentiality of the application in a non‑production environment. The flaw is classified as CWE‑749, a single‑sign‑on server side authentication bypass.

Affected Systems

Nuxt’s @nuxt/webpack-builder and @nuxt/rspack-builder packages from version 3.15.4 to 3.21.6 and from 4.0.0 to 4.4.6 are affected. The issue was fixed in version 3.21.7 and 4.4.7.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate risk, while an EPSS score of less than 1% suggests that real‑world exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Nevertheless, an attacker who shares the local network with a developer who has bound the nuxt dev server to a non‑loopback interface can launch a malicious webpage that omits the standard origin headers. The dev server will accept the request and may deliver source code files, resulting in source code theft. Because this attack needs local network proximity and a misconfigured dev server, it poses a tangible threat for developers working in open or shared networks but is less relevant to production deployments.

Generated by OpenCVE AI on June 12, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Nuxt packages to version 3.21.7 or 4.4.7, which contain the complete fix for this issue.
  • If an immediate upgrade is not feasible, run the development server only on a loopback interface (e.g., nuxt dev --host 127.0.0.1) to prevent external access.
  • Configure your firewall or container network settings to block any unsolicited traffic to the dev server.
  • As an additional precaution, enforce validation of the Sec‑Fetch‑Site, Origin, and Referer headers on incoming requests to the dev server so that any request lacking these headers is rejected.

Generated by OpenCVE AI on June 12, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Nuxt
Nuxt nuxt
Vendors & Products Nuxt
Nuxt nuxt

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.7 and 4.4.7.
Title @nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)
Weaknesses CWE-749
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nuxt Nuxt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T13:42:21.829Z

Reserved: 2026-06-02T18:30:51.283Z

Link: CVE-2026-49993

cve-icon Vulnrichment

Updated: 2026-06-12T13:41:56.190Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T14:16:32.650

Modified: 2026-06-12T16:01:25.477

Link: CVE-2026-49993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:30:31Z

Weaknesses
  • CWE-749

    Exposed Dangerous Method or Function