CVE-2026-45670
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
In versions @nuxt/rspack-builder and @nuxt/webpack-builder from 3.15.4 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during development when the dev server is bound to a non-loopback address.
Risk Assessment
The organization may be at risk of source code theft if a developer opens a malicious site on the same network as the dev server. This could lead to the leakage of sensitive information and security breaches.
Recommendation
It is recommended to upgrade to versions 3.21.6 or 4.4.6 to mitigate this vulnerability. Additionally, avoid running the dev server on addresses other than loopback.
Original NVD description (English source)
Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.6 and 4.4.6.

