CVE-2025-24361
📋 TL;DR
This vulnerability allows attackers to steal source code from Nuxt applications during development when developers visit malicious websites. It affects Nuxt 3.0.0-3.15.12 with webpack builder or 3.12.2-3.15.2 with rspack builder. The attack exploits cross-origin script execution to extract source code via Function::toString.
💻 Affected Systems
- Nuxt.js
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete theft of application source code including proprietary logic, API keys, and sensitive configuration exposed in development builds.
Likely Case
Partial source code exposure revealing application structure, business logic, and potentially hardcoded secrets from development environments.
If Mitigated
No impact if development environments are isolated from internet access or if developers don't visit malicious sites during development.
🎯 Exploit Status
Exploitation requires developer to visit malicious website while running vulnerable Nuxt development server. Attack leverages browser same-origin policy bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.15.13
Vendor Advisory: https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99
Restart Required: Yes
Instructions:
1. Update Nuxt to version 3.15.13 or later. 2. Run 'npm update nuxt' or 'yarn upgrade nuxt'. 3. Restart development server. 4. Verify version with 'npx nuxt --version'.
🔧 Temporary Workarounds
Isolate Development Environment
allRun Nuxt development server in isolated network without internet access
Use Different Builder
allSwitch to vite builder which is not affected by this vulnerability
npm install @nuxt/vite-builder
Update nuxt.config.js to use builder: 'vite'
🧯 If You Can't Patch
- Run development server in isolated network environment without internet access
- Use browser extensions to block cross-origin requests during development
🔍 How to Verify
Check if Vulnerable:
Check Nuxt version and builder configuration. If using webpack builder version 3.0.0-3.15.12 or rspack builder version 3.12.2-3.15.2, you are vulnerable.Check Version:
npx nuxt --versionVerify Fix Applied:
Verify Nuxt version is 3.15.13 or later using 'npx nuxt --version' and confirm development server no longer exposes webpackChunknuxt_app values.📡 Detection & Monitoring
Log Indicators:
- Unusual cross-origin requests to development server
- Multiple Function::toString calls in browser console
Network Indicators:
- Cross-origin script requests to development server ports (typically 3000)
SIEM Query:
source="browser_console" AND "Function::toString" AND "webpackChunknuxt_app"