CVE-2025-24360 MEDIUM

CVE-2025-24360: Opening a malicious website while running a Nuxt dev server could allow read-only access to code

Vendor Nuxt

Product nuxt

Weakness CWE-200 · Info exposure

Published January 25, 2025

Last update February 12, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites. Version 3.15.3 fixes the vulnerability.

Key dates

02Disclosure timeline

January 25, 2025 CVE published

February 12, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-24360 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2025-24360: Opening a malicious website while running a Nuxt dev server could allow read-only access to code

01Description

02Disclosure timeline

03References

04Related CVE