CVE Catalog

CVE-2026-45670

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

In versions @nuxt/rspack-builder and @nuxt/webpack-builder from 3.15.4 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during development when the dev server is bound to a non-loopback address.

Risk Assessment

The organization may be at risk of source code theft if a developer opens a malicious site on the same network as the dev server. This could lead to the leakage of sensitive information and security breaches.

Recommendation

It is recommended to upgrade to versions 3.21.6 or 4.4.6 to mitigate this vulnerability. Additionally, avoid running the dev server on addresses other than loopback.

Original NVD description (English source)

Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.6 and 4.4.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS