Insecure Development Configuration in Nuxt Framework by Nuxt Team
CVE-2026-45670
5.9MEDIUM
What is CVE-2026-45670?
The Nuxt framework, utilized for Vue.js development, has an inherent vulnerability in its @nuxt/rspack-builder and @nuxt/webpack-builder components. This issue arises when a development server is set to a non-loopback address, enabling potential source code theft if a developer inadvertently accesses a malicious site on the same network. The risk is applicable to versions 3.15.4 up to 3.21.6 and 4.0.0-alpha.1 up to 4.4.6. Fortunately, this critical issue has been addressed in the later releases 3.21.6 and 4.4.6, mitigating the security risks associated with this configuration flaw.
Affected Version(s)
nuxt >= 3.15.4, < 3.21.6 < 3.15.4, 3.21.6
nuxt >= 4.0.0-alpha.1, < 4.4.6 < 4.0.0-alpha.1, 4.4.6
