Description
Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit the unprotected module request handler to read arbitrary files such as .env and SSH keys through the SSR plugin pipeline. Production builds are unaffected, as the IPC server runs only in development.
Published: 2026-06-23
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is caused by the Nuxt development server binding its vite-node IPC server to an abstract-namespace Unix socket that is world-accessible on Linux. Unprivileged local users can connect to this socket and send requests to the module request handler, enabling them to read arbitrary files via the SSR plugin pipeline. The flaw is an example of improper access control (CWE-276) and can lead to disclosure of sensitive data such as .env files and SSH private keys. The impact is limited to local file disclosure through the development environment.

Affected Systems

Vendors: Nuxt, Products: Nuxt. Affected versions include Nuxt 4.0.0 through 4.4.6 and Nuxt 3.18.0 through 3.21.6. Production builds are unaffected because the IPC server runs only during development.

Risk and Exploitability

The CVSS score of 6.8 indicates a medium severity impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it is not widely exploited yet. However, the attack vector is local: the attacker must have access to the same machine running the development server. The exploit requires the dev server to be running and vulnerable, but does not need network connectivity. Organizations that use shared development environments or run the dev server in production face a higher risk of exposure.

Generated by OpenCVE AI on June 23, 2026 at 13:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nuxt to version 4.4.7 or later, or 3.21.7 or later, where the vulnerability is remediated.
  • Ensure the development server is not exposed in production or on shared machines; run it only for local development.
  • If an immediate upgrade is not possible, isolate the development environment from unprivileged users, or temporarily disable the SSR plugin that processes module requests.

Generated by OpenCVE AI on June 23, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit the unprotected module request handler to read arbitrary files such as .env and SSH keys through the SSR plugin pipeline. Production builds are unaffected, as the IPC server runs only in development.
Title Nuxt - Arbitrary File Read via World-Connectable vite-node IPC Socket on Linux
First Time appeared Nuxt
Nuxt nuxt
Weaknesses CWE-276
CPEs cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:node.js:*:*
Vendors & Products Nuxt
Nuxt nuxt
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nuxt Nuxt
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T14:34:24.230Z

Reserved: 2026-06-20T12:49:17.830Z

Link: CVE-2026-56301

cve-icon Vulnrichment

Updated: 2026-06-23T14:34:20.372Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T15:30:06Z

Weaknesses
  • CWE-276

    Incorrect Default Permissions