CVE-2025-52662Cross-site Scripting in Devtools

CWE-79Cross-site ScriptingCWE-401Missing Release of Memory after Effective Lifetime4 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
0.0%
top 93.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Nuxt DevtoolsVercel Nuxt DevtoolsMsrc Azl3 Hyperv-daemons 6.6.22.1-2 ON Azure Linux 3.0+3 more
Timeline
PublishedNov 7

Description

A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade. More details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages7 packages

CVEListV5vercel/nuxt_devtools2.6.32.6.3
NVDnuxt/devtools< 2.6.4
npmnuxt/devtools< 2.6.4

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
Nuxt DevTools vulnerable to cross-site scripting (XSS)2025-11-07
GHSA
Nuxt DevTools vulnerable to cross-site scripting (XSS)2025-11-07

📋Vendor Advisories

1
Microsoft
drm/vmwgfx: fix a memleak in vmw_gmrid_man_get_node2024-05-14