{"uuid": "9fc0e22b-d83a-4cdd-89d4-64d042f0e127", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49993", "type": "seen", "source": "https://gist.github.com/alon710/5a51983a1e4f931f3bc541f627d26823", "content": "# CVE-2026-49993: CVE-2026-49993: Proprietary Source Code Exfiltration via Incomplete Same-Origin Verification in Nuxt Dev Servers\n\n> **CVSS Score:** 5.7\n> **Published:** 2026-06-16\n> **Full Report:** https://cvereports.com/reports/CVE-2026-49993\n\n## Summary\nCVE-2026-49993 identifies an incomplete same-origin check validation mechanism in @nuxt/webpack-builder and @nuxt/rspack-builder dev server middleware. When the local development server is bound to a non-loopback address, cross-origin attackers can bypass verification checks by suppressing browser headers, leading to unauthorized retrieval and exfiltration of compiled source code chunks.\n\n## TL;DR\nNuxt dev servers bound to non-loopback interfaces allow headerless cross-origin requests, enabling malicious sites to silently exfiltrate proprietary source code from active local development environments.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-749\n- **Attack Vector**: Adjacent Network\n- **CVSS v3.1 Score**: 5.7\n- **EPSS Score**: 0.00201\n- **Impact**: High Confidentiality Loss\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- @nuxt/webpack-builder\n- @nuxt/rspack-builder\n- **@nuxt/webpack-builder**: >= 3.15.4, < 3.21.7 (Fixed in: `3.21.7`)\n- **@nuxt/rspack-builder**: >= 3.15.4, < 3.21.7 (Fixed in: `3.21.7`)\n- **@nuxt/webpack-builder**: >= 4.0.0, < 4.4.7 (Fixed in: `4.4.7`)\n- **@nuxt/rspack-builder**: >= 4.0.0, < 4.4.7 (Fixed in: `4.4.7`)\n\n## Mitigation\n\n- Restrict development server bindings exclusively to loopback addresses (127.0.0.1 or localhost).\n- Utilize modern web browsers that enforce Local Network Access (LNA) protections.\n- Perform local development activities within isolated browser sessions or profiles.\n\n**Remediation Steps:**\n1. Open the package management configuration of the Nuxt project.\n2. Execute the update command: `pnpm update nuxt` or `pnpm update @nuxt/webpack-builder @nuxt/rspack-builder`.\n3. Verify that dependencies resolve to version 3.21.7 (for Nuxt 3) or 4.4.7 (for Nuxt 4) or higher.\n4. Remove configuration variables that bind the development host to 0.0.0.0 or LAN-visible IPs.\n\n## References\n\n- [GitHub Security Advisory GHSA-x6qj-4h56-5rj5](https://github.com/nuxt/nuxt/security/advisories/GHSA-x6qj-4h56-5rj5)\n- [GitHub Security Advisory GHSA-6m52-m754-pw2g](https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g)\n- [Fix Pull Request #35200](https://github.com/nuxt/nuxt/pull/35200)\n- [CVE-2026-49993 Record](https://www.cve.org/CVERecord?id=CVE-2026-49993)\n- [NVD entry for CVE-2026-49993](https://nvd.nist.gov/vuln/detail/CVE-2026-49993)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49993) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-17T00:21:33.000000Z"}