CVE-2025-52662: 
JavaScript vulnerability analysis and mitigation

A medium-severity vulnerability (CVE-2025-52662) was discovered in Nuxt DevTools, affecting versions prior to 2.6.4. The vulnerability was disclosed on November 6, 2025, and involves a cross-site scripting (XSS) issue that could potentially allow authentication token extraction under certain configurations (Vercel Changelog).

The vulnerability exists in the DevTools authentication page where error messages are rendered without proper sanitization, enabling DOM-based XSS. The issue stems from the use of innerHTML instead of textContent for rendering error messages in the authentication page. The vulnerability has a CVSS v3.1 base score of 6.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N (Miggo).

The vulnerability chain allows remote code execution in development environments through a combination of cross-site scripting (XSS), authentication token exfiltration, and path traversal. An attacker could exploit this to steal authentication tokens and leverage a path traversal vulnerability in the WebSocket message handler to write arbitrary files outside the intended directory, potentially leading to remote code execution when configuration files are overwritten (Vercel Changelog).

The vulnerability has been patched in Nuxt DevTools version 2.6.4 by replacing innerHTML with textContent for error message display. Users are strongly encouraged to upgrade to this version or later. For those unable to upgrade immediately, the recommended workaround is to avoid publicly exposing Nuxt DevTools or running Nuxt in production using Dev mode (Vercel Changelog, GitHub Commit).

The vulnerability was responsibly disclosed by security researcher @yuske, demonstrating the effectiveness of the security community's coordinated vulnerability disclosure processes (Vercel Changelog).