GHSA-x6qj-4h56-5rj5Medium

@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)

Published
June 16, 2026
Last Modified
June 16, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

This is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network.

Details

The fix for GHSA-6m52-m754-pw2g added an Origin / Referer fallback to the dev-middleware same-origin check, with a return true branch when neither header is present so that non-browser clients (curl, the HMR client, address-bar navigation) keep working.

That fallback is bypassed when a cross-origin attacker request reaches the dev server with all three signal headers absent:

  • Sec-Fetch-Site is not sent by browsers to non-potentially-trustworthy destinations (HTTP on a non-loopback address).
  • Origin is not sent on non-CORS subresource fetches (a bare <script> with no crossorigin).
  • Referer can be suppressed by the attacker page with <meta name="referrer" content="no-referrer"> or referrerpolicy="no-referrer" on the <script> element.

A classic <script src="http://VICTIM_LAN_IP:3000/_nuxt/app.js" referrerpolicy="no-referrer"> from a non-trustworthy attacker origin produces exactly that header set, the request is allowed, and the attacker page can read the built source out of window.webpackChunk* via Function.prototype.toString().

Since the attack requires the dev server to be reachable via a non-potentially-trustworthy origin, only apps using --host (or --host 0.0.0.0) are affected. Chrome 142+ users are also protected by Local Network Access restrictions.

PoC

  1. Create a Nuxt project with the webpack / rspack builder.
  2. Run npm run dev -- --host 0.0.0.0.
  3. Open http://localhost:3000 on the developer machine.
  4. From a different LAN host, serve the page below and open it in the same browser.
  5. The compiled module source is exfiltrable from window.webpackChunknuxt_<projectname>.
<!doctype html>
<meta name="referrer" content="no-referrer">
<script>
  ['/_nuxt/runtime.js', '/_nuxt/app.js'].forEach(p => {
    const s = document.createElement('script')
    s.src = 'http://VICTIM_LAN_IP:3000' + p
    s.referrerPolicy = 'no-referrer'
    document.head.appendChild(s)
  })
  setTimeout(() => {
    const key = Object.keys(window).find(k => k.startsWith('webpackChunk'))
    for (const [, mods] of window[key]) {
      for (const id in mods) {
        console.log(id, mods[id].toString())
      }
    }
  }, 1500)
</script>

Impact

Users using the webpack / rspack builder with nuxt dev --host may get the built source code read by malicious websites on the same network, including module identifiers, the developer's local filesystem path, and any developer-controlled strings inlined into the bundle.

This vulnerability does not affect Chrome 142+ (and other Chromium-based browsers) users due to Local Network Access restrictions.

The default Vite builder is not affected.

Patches

Fixed in @nuxt/[email protected] / @nuxt/[email protected] and backported to @nuxt/[email protected] / @nuxt/[email protected] by #35200 (4.x: commit e351de94; 3.x: commit 77187ee4). The dev-middleware same-origin check now treats a request with no Sec-Fetch-Site, no Origin, and no Referer as same-origin only when the dev server is loopback-bound, closing the header-suppression bypass.

The fix only ships for the @nuxt/webpack-builder and @nuxt/rspack-builder packages. The default Vite builder was not affected.

Workarounds

If you cannot upgrade immediately:

  • Don't use nuxt dev --host. Bind the dev server to localhost (the default) and tunnel from other devices via SSH or a reverse proxy that enforces same-origin checks.
  • Use Chrome 142+ or another Chromium-based browser that enforces Local Network Access restrictions.
  • Switch to the Vite builder for development.

Credit

Reported by Berkan SAL (@Uhudsavasindankacanokcu2) via the Vercel Open Source HackerOne program.

Independently reported by @DavidCarliez via GitHub's coordinated disclosure flow (GHSA-xw96-2f5x-v9pv), closed as a duplicate of this advisory.

🎯 Affected products4

  • npm/@nuxt/webpack-builder:>= 4.0.0, < 4.4.7
  • npm/@nuxt/webpack-builder:>= 3.15.4, < 3.21.7
  • npm/@nuxt/rspack-builder:>= 4.0.0, < 4.4.7
  • npm/@nuxt/rspack-builder:>= 3.15.4, < 3.21.7

🔗 References (7)