Description
Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer visited read the server's responses cross-origin — including the full project graph and the output of the /help endpoint, which runs a target's configured help command. The practical impact is typically cross-origin information disclosure, but can be arbitrary command injection in rare cases. This vulnerability is fixed in 22.7.2 and 23.0.0-beta.2.
Published: 2026-06-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The local HTTP server started by nx graph sent the header Access‑Control‑Allow‑Origin: * on every response, allowing any website a developer visited to read the server’s responses cross‑origin. The exposed data includes the full project graph and the output of the /help endpoint, which may execute configured help commands. This flaw primarily leads to cross‑origin information disclosure and, in very rare cases, could enable arbitrary command injection. The vulnerability stems from multiple weaknesses, including permissive CORS handling (CWE‑346), generic data output exposure (CWE‑749), and command execution in help endpoints (CWE‑942).

Affected Systems

Products: Nrwl Nx – a monorepo solution for TypeScript and polyglot codebases. Affected Nx versions range from 17.0.4 through 22.7.2 and also include the 23.0.0‑beta.2 release. Developers using these versions of Nx and running the local graph dev server are potentially impacted.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. The EPSS score is < 1%, indicating a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Likely attack conditions require the developer to run nx graph locally and then access a malicious web page while the dev server is active; the permissive CORS header then allows the attacker’s site to read the server’s responses. Because the attack surface is tied to local development and requires the developer to be online, the probability of exploitation is low, but using the exposed project graph data could aid further attacks.

Generated by OpenCVE AI on July 17, 2026 at 02:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nx to version 22.7.2 or newer, including 23.0.0‑beta.2 to apply the vendor bug fix
  • If an immediate upgrade is not possible, restrict network exposure of the nx graph dev server by configuring a firewall or host‑based rules to allow connections only from the local machine
  • Limit the time the nx graph server is run and avoid browsing untrusted external sites while the dev server is active to reduce the window for cross‑origin attacks

Generated by OpenCVE AI on July 17, 2026 at 02:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Nrwl
Nrwl nx
Vendors & Products Nrwl
Nrwl nx

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer visited read the server's responses cross-origin — including the full project graph and the output of the /help endpoint, which runs a target's configured help command. The practical impact is typically cross-origin information disclosure, but can be arbitrary command injection in rare cases. This vulnerability is fixed in 22.7.2 and 23.0.0-beta.2.
Title Nx: `nx graph` dev server permissive CORS policy
Weaknesses CWE-749
CWE-942
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T19:09:33.257Z

Reserved: 2026-06-15T23:12:41.965Z

Link: CVE-2026-54753

cve-icon Vulnrichment

Updated: 2026-06-26T19:09:25.959Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-26T18:13:34Z

Links: CVE-2026-54753 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-17T02:45:08Z

Weaknesses
  • CWE-346

    Origin Validation Error

  • CWE-749

    Exposed Dangerous Method or Function

  • CWE-942

    Permissive Cross-domain Security Policy with Untrusted Domains