Miggo Logo
Miggo Vulnerability Database
CVE-2025-24360

CVE-2025-24360:
Opening a malicious website while running a Nuxt dev server could allow read-only access to code

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-24360
GHSA ID
GHSA-2452-6xj8-jh47
EPSS Score
0.27512%
CWE
CWE-200
Published
1/27/2025
Updated
1/27/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
@nuxt/vite-buildernpm>= 3.8.1, < 3.15.33.15.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Nuxt's custom CORS handler overriding Vite's patched CORS implementation. The key vulnerable functions are: 1) The Vite client middleware handler that used h3's appendCorsHeaders with wildcard origins, visible in client.ts lines 257-263 pre-patch. 2) The Vite Node server middleware that exposed internal endpoints without origin validation. The commit 7eeb910 replaced the wildcard CORS implementation with origin restrictions and proper h3 handleCors usage, confirming these were the vulnerable points. The medium confidence for vite-node.ts stems from advisory notes about potential exploitation despite lack of explicit PoC for module IDs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry Nuxt *llows *ny w**sit*s to s*n* *ny r*qu*sts to t** **v*lopm*nt s*rv*r *n* r*** t** r*spons* *u* to ****ult *ORS s*ttin*s. ### **t*ils W*il* Vit* p*t**** t** ****ult *ORS s*ttin*s to *ix *ttps://*it*u*.*om/vit*js/vit*/s**urity/**visori*

Reasoning

T** vuln*r**ility st*ms *rom Nuxt's *ustom *ORS **n*l*r ov*rri*in* Vit*'s p*t**** *ORS impl*m*nt*tion. T** k*y vuln*r**l* *un*tions *r*: *) T** Vit* *li*nt mi**l*w*r* **n*l*r t**t us** **'s *pp*n**ors*****rs wit* wil***r* ori*ins, visi*l* in *li*nt.t