CVE-2026-45670: Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)

May 19, 2026

This is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network.

References

github.com/advisories/GHSA-6m52-m754-pw2g
github.com/nuxt/nuxt/pull/35051
github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g
nvd.nist.gov/vuln/detail/CVE-2026-45670

Code Behaviors & Features

Detect and mitigate CVE-2026-45670 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →