CVE-2026-45670 Overview
CVE-2026-45670 is a source code disclosure vulnerability affecting Nuxt, an open-source web development framework for Vue.js. The flaw exists in the @nuxt/rspack-builder and @nuxt/webpack-builder packages and represents an incomplete fix for the earlier advisory GHSA-4gf7-ff8x-hq99. When a developer runs nuxt dev bound to a non-loopback address and visits a malicious site on the same network, the attacker can exfiltrate project source code. The issue is tracked under [CWE-749] (Exposed Dangerous Method or Function) and has been patched in Nuxt versions 3.21.6 and 4.4.6.
Critical Impact
An attacker on the same network as a Nuxt developer can steal application source code by luring the developer to a malicious page while the dev server is exposed on a non-loopback interface.
Affected Products
- @nuxt/rspack-builder versions 3.15.4 to before 3.21.6
- @nuxt/rspack-builder and @nuxt/webpack-builder versions 4.0.0-alpha.1 to before 4.4.6
- @nuxt/webpack-builder versions 3.15.4 to before 3.21.6
Discovery Timeline
- 2026-06-12 - CVE-2026-45670 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-45670
Vulnerability Analysis
Nuxt's development server uses the webpack or rspack builder to compile Vue.js applications and serve generated assets during local development. The earlier advisory GHSA-4gf7-ff8x-hq99 attempted to restrict access to builder endpoints that expose compiled module sources. CVE-2026-45670 demonstrates that the original mitigation was incomplete. When the developer launches the dev server using nuxt dev --host, the listener binds to a non-loopback interface and accepts requests from other hosts on the local network. Endpoints exposed by the webpack and rspack builders return application source content without sufficient origin verification. The vulnerability is classified under [CWE-749] because internal builder methods remain reachable from contexts that should not have access. The fix in 3.21.6 and 4.4.6 tightens validation of inbound requests to the dev server.
Root Cause
The builder exposes development-only routes that serve module sources for hot module replacement and debugging. The previous patch did not fully constrain which origins could invoke these routes, leaving a gap when the server was reachable from adjacent network hosts.
Attack Vector
Exploitation requires three conditions: the developer must start the dev server bound to a non-loopback address using a flag such as --host, the attacker must reside on the same network segment, and the developer must visit an attacker-controlled web page. The malicious page issues cross-origin requests to the developer's dev server, retrieves source content from the builder endpoints, and exfiltrates it to the attacker. User interaction is required because the developer must visit the malicious page during an active dev session.
No verified public proof-of-concept code is available. Refer to the Nuxt Security Advisory GHSA-6m52-m754-pw2g and the GitHub Pull Request #35051 for technical details of the patched behavior.
Detection Methods for CVE-2026-45670
Indicators of Compromise
- Outbound HTTP requests from a developer workstation to unknown hosts containing serialized JavaScript or Vue single-file component content.
- Inbound requests to a developer's dev server (default port 3000) originating from IP addresses other than 127.0.0.1 or ::1.
- Browser activity showing cross-origin fetches against http://<dev-host>:3000/_nuxt/ paths from unrelated domains.
Detection Strategies
- Inventory running Nuxt projects and verify the installed versions of @nuxt/webpack-builder and @nuxt/rspack-builder against the patched releases 3.21.6 and 4.4.6.
- Monitor process command lines on developer endpoints for invocations of nuxt dev combined with --host or with a HOST environment variable set to a non-loopback value.
- Inspect network telemetry for connections to developer dev-server ports from any source other than the local host.
Monitoring Recommendations
- Capture network flows on developer subnets and alert when external workstations connect to common dev-server ports such as 3000, 8080, or 24678.
- Log browser DNS resolutions and HTTP requests on developer machines to identify visits to unfamiliar domains during active dev sessions.
- Track package manifests (package.json, pnpm-lock.yaml, yarn.lock) in source repositories for outdated Nuxt builder versions.
How to Mitigate CVE-2026-45670
Immediate Actions Required
- Upgrade @nuxt/webpack-builder and @nuxt/rspack-builder to version 3.21.6 for the 3.x line or 4.4.6 for the 4.x line.
- Stop running nuxt dev with --host or a non-loopback HOST value unless explicitly required for cross-device testing.
- Audit developer workstations to confirm dev servers are bound to 127.0.0.1 by default.
Patch Information
The maintainers fixed the issue in Nuxt 3.21.6 and 4.4.6. Details of the code change are available in Nuxt Pull Request #35051 and the GitHub Security Advisory GHSA-6m52-m754-pw2g. Upgrading the affected builder package resolves the incomplete fix tracked under the original advisory GHSA-4gf7-ff8x-hq99.
Workarounds
- Bind the development server exclusively to the loopback interface by omitting --host and unsetting any HOST environment variable.
- When remote access to the dev server is required, route it through an authenticated tunnel such as SSH port forwarding rather than exposing it to the LAN.
- Configure host firewalls on developer machines to block inbound connections to dev-server ports from non-loopback sources.
# Configuration example: upgrade Nuxt and restrict dev server to loopback
npm install nuxt@^3.21.6
# or for the 4.x line
npm install nuxt@^4.4.6
# Start the dev server bound to loopback only
unset HOST
npx nuxt dev --host 127.0.0.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
