CVE-2025-24361: 
JavaScript vulnerability analysis and mitigation

Nuxt, an open-source web development framework for Vue.js, was found to have a security vulnerability affecting versions 3.0.0 through 3.15.12 of the webpack builder and versions 3.12.2 through 3.152 of the rspack builder. The vulnerability was discovered and disclosed on January 24, 2025, and allows attackers to steal source code during development when a victim opens a malicious website (NVD, GitHub Advisory).

The vulnerability stems from a same-origin policy bypass where requests for classic script tags are not properly restricted. An attacker can inject a malicious script on their site and use Function::toString against the values in window.webpackChunknuxt_app to extract the source code. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating network attack vector, high attack complexity, no privileges required, and user interaction required (GitHub Advisory).

The vulnerability allows attackers to access and steal source code from Nuxt applications during development. This could lead to exposure of sensitive information, business logic, and potentially security-related configurations embedded in the source code (GitHub Advisory).

The vulnerability has been patched in Nuxt version 3.15.13. Users are strongly advised to upgrade to this version or later. The fix involves restricting access via CORS to local origins and allowing configuration through devServer.cors (Nuxt Commit).