CVE-2025-24360: Opening a malicious website while running a Nuxt dev server could allow read-only access to code
Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings.
References
- github.com/advisories/GHSA-2452-6xj8-jh47
- github.com/nuxt/nuxt
- github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts
- github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts
- github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f
- github.com/nuxt/nuxt/pull/23995
- github.com/nuxt/nuxt/security/advisories/GHSA-2452-6xj8-jh47
- github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6
- nvd.nist.gov/vuln/detail/CVE-2025-24360
Detect and mitigate CVE-2025-24360 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →