Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-49993

CVE-2026-49993: Nuxt rspack-builder Info Disclosure Flaw

CVE-2026-49993 is an information disclosure vulnerability in Nuxt rspack-builder and webpack-builder that allows source code theft on non-loopback dev servers. This article covers technical details, affected versions, and patches.

Published:

CVE-2026-49993 Overview

CVE-2026-49993 is an information disclosure vulnerability in Nuxt, an open-source web development framework for Vue.js. The flaw affects @nuxt/rspack-builder and @nuxt/webpack-builder and represents an incomplete fix for the prior advisory GHSA-6m52-m754-pw2g. When the Nuxt development server is bound to a non-loopback address using nuxt dev --host, an attacker on the same network can exfiltrate application source code if a developer visits a malicious site. The issue is tracked under [CWE-749: Exposed Dangerous Method or Function] and has been resolved in versions 3.21.7 and 4.4.7.

Critical Impact

Adjacent network attackers can steal Nuxt application source code from a developer's machine when the dev server is exposed beyond loopback and the developer browses a malicious page.

Affected Products

  • @nuxt/rspack-builder versions 3.15.4 to before 3.21.7
  • @nuxt/rspack-builder and @nuxt/webpack-builder versions 4.0.0 to before 4.4.7
  • Nuxt dev server when launched with non-loopback binding (e.g. nuxt dev --host)

Discovery Timeline

  • 2026-06-12 - CVE-2026-49993 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-49993

Vulnerability Analysis

The vulnerability allows source code theft from the Nuxt webpack or rspack development server during local development. When developers run nuxt dev --host, the dev server binds to a non-loopback interface and becomes reachable by other devices on the local network. The initial fix in GHSA-6m52-m754-pw2g attempted to gate dev-server resources behind same-origin checks. However, a malicious page can suppress all three signals the original check relied on, causing requests to be incorrectly treated as same-origin. An adjacent-network attacker leveraging a victim browser can therefore retrieve bundled JavaScript modules, source maps, and other build artifacts exposed by the dev middleware.

Root Cause

The root cause is reliance on browser-supplied signals (Sec-Fetch-Site, Origin, Referer) to determine whether a dev-server request is same-origin. A non-trustworthy origin can drop Sec-Fetch-*, use a non-CORS <script> tag to omit Origin, and set Referrer-Policy: no-referrer to drop Referer. With every signal absent, the prior implementation defaulted to allowing the request, enabling cross-origin reads against a dev server bound to a routable address.

Attack Vector

Exploitation requires adjacent-network positioning and developer interaction. The attacker hosts a page that issues requests to the developer's Nuxt dev server URL (reachable because of --host). The page is crafted to strip Sec-Fetch-*, Origin, and Referer, causing the dev server to serve internal bundle assets. The patch in pull request #35200 hardens the check by requiring a loopback Host header when none of the same-origin signals are present.

typescript
const LOOPBACK_HOSTNAMES = new Set(['localhost', '127.0.0.1', '::1'])

function firstHeader (value: string | string[] | undefined): string | undefined {
  return Array.isArray(value) ? value[0] : value
}

function isLoopbackHost (host: string | undefined): boolean {
  if (!host) { return false }
  const withoutPort = host.replace(/:\d+$/, '')
  const hostname = withoutPort.replace(/^\[|\]$/g, '').toLowerCase()
  return LOOPBACK_HOSTNAMES.has(hostname)
}

export function isSameOriginRequest (req: { headers: Record<string, string | string[] | undefined> }): boolean {
  const site = firstHeader(req.headers['sec-fetch-site'])
  if (site !== undefined) {
    return site === 'same-origin' || site === 'none'
  }

  const initiator = firstHeader(req.headers.origin) || firstHeader(req.headers.referer)
  if (!initiator) {
    // A request with no `Sec-Fetch-Site`, `Origin`, or `Referer` is only safe to
    // allow when the dev server is loopback-bound.
    return isLoopbackHost(firstHeader(req.headers.host))
  }
}
// Source: https://github.com/nuxt/nuxt/commit/77187ee4015e9267fb464951542a3e09e8b5fa05

Detection Methods for CVE-2026-49993

Indicators of Compromise

  • Unexpected HTTP requests to developer machines on dev-server ports (commonly 3000) originating from devices other than the developer's host
  • Dev-server access logs showing requests for .js, .map, or _nuxt/ assets with missing Origin, Referer, and Sec-Fetch-Site headers
  • Developer workstations running nuxt dev --host while connected to untrusted networks

Detection Strategies

  • Inventory Node.js projects to identify use of @nuxt/rspack-builder or @nuxt/webpack-builder at vulnerable versions (3.15.4–3.21.6, 4.0.0–4.4.6)
  • Inspect developer command history and CI scripts for nuxt dev --host or equivalent bindings to non-loopback addresses
  • Review network telemetry on developer subnets for connections to dev-server ports from unexpected source hosts

Monitoring Recommendations

  • Alert on inbound connections to typical dev-server ports from non-developer endpoints on flat office or guest networks
  • Monitor for browser navigations from developer endpoints to newly registered or low-reputation domains during active dev sessions
  • Track package.json and lockfile changes to ensure Nuxt and builder packages are upgraded to patched versions

How to Mitigate CVE-2026-49993

Immediate Actions Required

  • Upgrade nuxt, @nuxt/rspack-builder, and @nuxt/webpack-builder to version 3.21.7 (3.x line) or 4.4.7 (4.x line)
  • Stop using nuxt dev --host on untrusted networks until upgrades are deployed
  • Audit developer machines for active dev servers exposed to LAN, VPN, or guest network segments

Patch Information

The fix is delivered in Nuxt 3.21.7 and 4.4.7 via pull request #35200 and commits 77187ee and e351de9. The patch introduces an isSameOriginRequest helper that requires a loopback Host header when Sec-Fetch-Site, Origin, and Referer are all absent. See the GHSA-x6qj-4h56-5rj5 advisory for full disclosure details.

Workarounds

  • Bind the dev server only to loopback (127.0.0.1 or ::1) and avoid the --host flag on shared networks
  • When remote access is required, tunnel through SSH port forwarding or an authenticated reverse proxy instead of binding to the LAN
  • Use a host-based firewall rule to block inbound connections to dev-server ports from non-loopback interfaces
bash
# Upgrade Nuxt and the affected builders to patched versions
npm install nuxt@^3.21.7 @nuxt/webpack-builder@^3.21.7 @nuxt/rspack-builder@^3.21.7
# For the 4.x line
npm install nuxt@^4.4.7 @nuxt/webpack-builder@^4.4.7 @nuxt/rspack-builder@^4.4.7

# Run the dev server bound to loopback only
nuxt dev --host 127.0.0.1

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne