Nuxt Webpack and Rspack Builder Source Code Theft Vulnerability

A vulnerability in Nuxt's webpack and rspack builders allows for source code theft during development. This issue affects Nuxt versions 3.0.0 through 3.15.12 for webpack and versions 3.12.2 through 3.152 for rspack. The vulnerability arises because script requests are not restricted by the same origin policy, enabling attackers to inject malicious scripts that can be executed in the context of the victim's application. By exploiting this flaw, an attacker can access the application's source code through the injected script.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the source code of the affected Nuxt application.

Reproduction

To reproduce this vulnerability, create a Nuxt project using either the webpack or rspack builder. After setting up the project, run it in development mode. Then, open a malicious website that can inject a script into the page. The injected script can access the Nuxt application's source code by exploiting the same origin policy vulnerability and using `Function::toString` on the values in `window.webpackChunknuxt_app`. Once the script is executed, it can send the stolen code to an external server or display it in the console.

Remediation

Users can upgrade to Nuxt version 3.15.4 or later, which addresses this vulnerability by restricting script access via CORS to local origins and allowing configuration of CORS options through the devServer settings.