Advisories for Npm/@Nuxt/Webpack-Builder package

2026

@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)

This is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev –host) and the developer opens a malicious site on the same network.

Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)

This is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev –host) and the developer opens a malicious site on the same network.

2025

Opening a malicious website while running a Nuxt dev server could allow read-only access to code

Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site.