5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-24360

GHSA ID

GHSA-2452-6xj8-jh47

EPSS Score

0.3193%

CWE

CWE-200

Published

1/27/2025

Updated

1/27/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-24360

CVE-2025-24360: Opening a malicious website while running a Nuxt dev server could allow read-only access to code

Summary

Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings.

Details

While Vite patched the default CORS settings to fix https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6, nuxt uses its own CORS handler by default (https://github.com/nuxt/nuxt/pull/23995).

https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263

That CORS handler sets Access-Control-Allow-Origin: *.

[!IMPORTANT]
If on an affected version, it may be possible to opt-out of the default Nuxt CORS handler by configuring vite.server.cors.

PoC

Start a dev server in any nuxt project using Vite by nuxt dev.
Send a fetch request to http://localhost:3000/_nuxt/app.vue (fetch('http://localhost:3000/_nuxt/app.vue')) from a different origin page.

Impact

Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites

Additional Information

/__nuxt_vite_node__/manifest / /__nuxt_vite_node__/module also seems to have Access-Control-Allow-Origin: *, so it maybe also possible to exploit that handler. https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39 Although I didn't find a valid module id. Note that this handler is probably also vulnerable to DNS rebinding attacks as I didn't find any host header checks.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-24360

CVE-2025-24360:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-24360

GHSA ID

GHSA-2452-6xj8-jh47

EPSS Score

0.3193%

CWE

CWE-200

Published

1/27/2025

Updated

1/27/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@nuxt/vite-builder	npm	>= 3.8.1, < 3.15.3	3.15.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Nuxt's custom CORS handler overriding Vite's patched CORS implementation. The key vulnerable functions are: 1) The Vite client middleware handler that used h3's appendCorsHeaders with wildcard origins, visible in client.ts lines 257-263 pre-patch. 2) The Vite Node server middleware that exposed internal endpoints without origin validation. The commit 7eeb910 replaced the wildcard CORS implementation with origin restrictions and proper h3 handleCors usage, confirming these were the vulnerable points. The medium confidence for vite-node.ts stems from advisory notes about potential exploitation despite lack of explicit PoC for module IDs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-24360: Opening a malicious website while running a Nuxt dev server could allow read-only access to code

Summary

Details

PoC

Impact

Additional Information

CVE-2025-24360:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2025-24360: Opening a malicious website while running a Nuxt dev server could allow read-only access to code

Summary

Details

PoC

Impact

Additional Information

5.3

5.3

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI