Impact
The local HTTP server started by nx graph sent the header Access‑Control‑Allow‑Origin: * on every response, allowing any website a developer visited to read the server’s responses cross‑origin. The exposed data includes the full project graph and the output of the /help endpoint, which may execute configured help commands. This flaw primarily leads to cross‑origin information disclosure and, in very rare cases, could enable arbitrary command injection. The vulnerability stems from multiple weaknesses, including permissive CORS handling (CWE‑346), generic data output exposure (CWE‑749), and command execution in help endpoints (CWE‑942).
Affected Systems
Products: Nrwl Nx – a monorepo solution for TypeScript and polyglot codebases. Affected Nx versions range from 17.0.4 through 22.7.2 and also include the 23.0.0‑beta.2 release. Developers using these versions of Nx and running the local graph dev server are potentially impacted.
Risk and Exploitability
The CVSS score of 5.9 indicates moderate severity. The EPSS score is < 1%, indicating a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Likely attack conditions require the developer to run nx graph locally and then access a malicious web page while the dev server is active; the permissive CORS header then allows the attacker’s site to read the server’s responses. Because the attack surface is tied to local development and requires the developer to be online, the probability of exploitation is low, but using the exposed project graph data could aid further attacks.
OpenCVE Enrichment