CVE-2026-49993: @nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)
This is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network.
References
- github.com/advisories/GHSA-x6qj-4h56-5rj5
- github.com/nuxt/nuxt/commit/77187ee4015e9267fb464951542a3e09e8b5fa05
- github.com/nuxt/nuxt/commit/e351de943e82db16970618b60dc7fdbaa58630f3
- github.com/nuxt/nuxt/pull/35200
- github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g
- github.com/nuxt/nuxt/security/advisories/GHSA-x6qj-4h56-5rj5
- nvd.nist.gov/vuln/detail/CVE-2026-49993
Code Behaviors & Features
Detect and mitigate CVE-2026-49993 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →