CVE-2025-24361: Opening a malicious website while running a Nuxt dev server could allow read-only access to code

January 27, 2025 (updated January 30, 2025)

Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site.

References

github.com/advisories/GHSA-4gf7-ff8x-hq99
github.com/nuxt/nuxt
github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f
github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99
nvd.nist.gov/vuln/detail/CVE-2025-24361

Code Behaviors & Features

Detect and mitigate CVE-2025-24361 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →