CVE-2024-23657 Overview
CVE-2024-23657 affects Nuxt, an open-source framework for building full-stack web applications with Vue.js. The vulnerability resides in Nuxt Devtools, where the getTextAssetContent Remote Procedure Call (RPC) function lacks authentication and is vulnerable to path traversal [CWE-22]. Combined with missing Origin header validation on the WebSocket handler, attackers can perform cross-site WebSocket hijacking against a developer's locally running devtools instance. Successful exploitation enables arbitrary file reads, theft of the devtools authentication token, and ultimately remote code execution (RCE) through the authenticated writeStaticAssets function. The issue was fixed in Nuxt Devtools release 1.3.9.
Critical Impact
A malicious webpage visited by a developer running Nuxt Devtools can exfiltrate local files, steal the devtools authentication token, and write a malicious component or Nitro handler to achieve remote code execution on the developer's machine.
Affected Products
- Nuxt Devtools versions prior to 1.3.9
- Nuxt full-stack framework installations using vulnerable Devtools versions
- Developer workstations with locally running Nuxt Devtools instances
Discovery Timeline
- 2024-08-05 - CVE-2024-23657 published to the National Vulnerability Database (NVD)
- 2024-09-20 - Last updated in NVD database
Technical Details for CVE-2024-23657
Vulnerability Analysis
The vulnerability chains three weaknesses in Nuxt Devtools into a full remote code execution primitive. First, the getTextAssetContent RPC function does not validate the path supplied by the caller, permitting directory traversal sequences such as ../. This allows an unauthenticated WebSocket client to read arbitrary files on the host filesystem.
Second, the Devtools WebSocket server does not enforce Origin header checks. Any web page loaded in the developer's browser can therefore connect to the local Devtools WebSocket endpoint, a class of attack known as cross-site WebSocket hijacking. This design choice may have been intentional to support certain proxy and remote development configurations.
Third, Nuxt Devtools stores authentication tokens inside the current user's home directory. An attacker who can read arbitrary files can brute force the token location through directory traversal and then issue authenticated RPC calls.
Root Cause
The root cause is missing input validation in getTextAssetContent (see packages/devtools/src/server-rpc/assets.ts) combined with absent Origin validation in the WebSocket handler (packages/devtools/src/server-rpc/index.ts). Authentication tokens generated by dev-auth.ts are stored at predictable paths within the user home directory, making them recoverable once arbitrary file read is achieved.
Attack Vector
The attack requires the developer to visit a malicious or compromised web page while Nuxt Devtools is running locally. The malicious page opens a WebSocket connection to the local Devtools endpoint, then issues getTextAssetContent calls with traversal payloads such as ../../../.nuxt-devtools/token to enumerate the token file. After recovering the token, the attacker invokes the authenticated writeStaticAssets RPC to write a new Vue component, Nitro handler, or app.vue file. Nuxt's hot module reload then automatically executes the attacker-controlled code in the developer's Node.js process. Technical details are documented in GitHub Security Advisory GHSA-rcvg-rgf7-pppv and the PortSwigger WebSocket Hijacking Tutorial.
Detection Methods for CVE-2024-23657
Indicators of Compromise
- Unexpected WebSocket connections from browser origins to the local Nuxt Devtools port during development sessions
- New or modified .vue, Nitro handler, or app.vue files in the project tree that were not committed by the developer
- Outbound network connections initiated by the Node.js development process to unfamiliar hosts
- Recent access timestamps on devtools authentication token files within the user home directory
Detection Strategies
- Inspect browser developer tools and proxy logs for cross-origin WebSocket upgrade requests targeting localhost Devtools ports
- Audit project source trees for unexpected file creation events while Devtools is active
- Monitor process telemetry for child processes spawned by the Node.js Nuxt dev server
Monitoring Recommendations
- Enable file integrity monitoring on developer workstations for project directories and the Devtools token path under the user home directory
- Log all outbound network connections originating from Node.js and developer browser processes
- Track installed versions of @nuxt/devtools across engineering endpoints and flag versions below 1.3.9
How to Mitigate CVE-2024-23657
Immediate Actions Required
- Upgrade Nuxt Devtools to version 1.3.9 or later on all developer workstations
- Audit all Nuxt projects for unauthorized changes to components, Nitro handlers, and app.vue files since the vulnerability disclosure
- Rotate any credentials, SSH keys, or tokens accessible from developer workstations that may have run vulnerable Devtools versions
- Restrict developer browsing activity during active dev sessions to trusted sites
Patch Information
The vulnerability is fixed in Nuxt Devtools release 1.3.9. Update via npm install -D @nuxt/devtools@latest or the equivalent yarn or pnpm command. Verify the upgrade by checking the installed version in package.json and the project lockfile. Refer to the GitHub Security Advisory GHSA-rcvg-rgf7-pppv for the full vendor advisory.
Workarounds
- No vendor-supplied workarounds exist for this vulnerability; upgrading is the only supported remediation
- As a temporary measure, disable Nuxt Devtools in nuxt.config.ts by setting devtools: { enabled: false } until the upgrade is applied
- Run development environments inside isolated containers or virtual machines to limit the blast radius of a successful exploit
# Disable Nuxt Devtools in nuxt.config.ts as a temporary measure
export default defineNuxtConfig({
devtools: { enabled: false }
})
# Upgrade to the patched version
npm install -D @nuxt/devtools@^1.3.9
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
