CVE-2025-24360Sensitive Information Exposure in Vite-builder

CWE-200Sensitive Information Exposure3 documents3 sources
Severity
5.3MEDIUMNVD
EPSS
0.3%
top 45.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nuxt Vite-builderNuxt
Timeline
PublishedJan 25
Latest updateJan 27

Description

Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites. Version 3.15.3 fixes the vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages2 packages

npmnuxt/vite-builder3.8.13.15.3
CVEListV5nuxt/nuxt>= 3.8.1, < 3.15.3

🔴Vulnerability Details

2
OSV
Opening a malicious website while running a Nuxt dev server could allow read-only access to code2025-01-27
GHSA
Opening a malicious website while running a Nuxt dev server could allow read-only access to code2025-01-27