GHSA-534h-c3cw-v3h9: Nuxt dev server vite-node IPC socket is world-connectable on Linux

When running nuxt dev on Linux (Node.js 20+, outside Docker / StackBlitz), Nuxt’s internal vite-node IPC server binds to a Linux abstract-namespace Unix socket (\0nuxt-vite-node-<pid>-<ts>.sock). Abstract sockets have no filesystem inode and therefore no permission bits: any local UID on the host that can read /proc/net/unix can enumerate the socket and connect to it.

The IPC server does not perform any peer-credential or shared-secret check before dispatching requests. The module request type passes its moduleId field straight into Vite’s SSR fetchModule(), which is not gated by Vite’s HTTP-layer server.fs.allow deny-list. A co-resident unprivileged local user can therefore request paths like /home/<dev>/project/.env?raw or ~/.ssh/id_rsa?raw and read the developer’s secrets through the dev server’s SSR plugin pipeline. The resolve request type additionally enables filesystem probing.

This affects developers running nuxt dev on shared multi-tenant Linux hosts (lab machines, shared bastions, CI runners shared between jobs without per-job container isolation). It does not affect:

• Production builds (nuxt build / nuxt start). The IPC server only runs in development.
• macOS or Windows developers.
• Docker / StackBlitz environments, which already fall back to a filesystem socket.
• Single-user laptops or per-job containerised CI.