CVE-2025-24360

low-risk

Published 2025-01-25

Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites. Version 3.15.3 fixes the vulnerability.

Do I need to act?

-

0.31% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

5

CVSS 5.3/10 Medium

NETWORK / HIGH complexity

References (6)

https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packa...

https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packa...

https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f

https://github.com/nuxt/nuxt/pull/23995

https://github.com/nuxt/nuxt/security/advisories/GHSA-2452-6xj8-jh47

https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6

23

/ 100

low-risk

Severity 17/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal