CVE-2025-24360: 
JavaScript vulnerability analysis and mitigation

CVE-2025-24360 affects Nuxt, an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send requests to the development server and read the response due to default CORS settings. The vulnerability was discovered and disclosed on January 24, 2025 (NVD, GitHub Advisory).

The vulnerability exists because Nuxt uses its own CORS handler by default that sets Access-Control-Allow-Origin: * for development server requests. This implementation was introduced in response to a similar vulnerability in Vite (GHSA-vg6x-rcgg-rjx6). The issue affects the /nuxtvitenode/manifest and /nuxtvitenode/module endpoints. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (GitHub Advisory).

Users with the default server.cors option using Vite builder may have their source code exposed to malicious websites. When a user visits a malicious website while running a Nuxt development server, the attacker can potentially read source code and sensitive information through cross-origin requests (GitHub Advisory).

The vulnerability has been fixed in version 3.15.3. For users unable to upgrade, it is possible to opt-out of the default Nuxt CORS handler by configuring vite.server.cors to restrict allowed origins (GitHub Advisory).