Vulnerability Description
Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites. Version 3.15.3 fixes the vulnerability.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packa
- https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packa
- https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f
- https://github.com/nuxt/nuxt/pull/23995
- https://github.com/nuxt/nuxt/security/advisories/GHSA-2452-6xj8-jh47
- https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6
FAQ
What is CVE-2025-24360?
CVE-2025-24360 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the...
How severe is CVE-2025-24360?
CVE-2025-24360 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-24360?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.