CVE-2026-49993

@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)

Assigner: GitHub_M
Reserved: 02.06.2026 Published: 12.06.2026 Updated: 12.06.2026

Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.7 and 4.4.7.

Metrics

CVSS Vector: CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	High	Confidentiality	None
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	nuxt
Product	nuxt
Versions	Version >= 3.15.4, < 3.21.7 is affected Version >= 4.0.0, < 4.4.7 is affected

Vendor

nuxt

Product

nuxt

Versions

Version >= 3.15.4, < 3.21.7 is affected
Version >= 4.0.0, < 4.4.7 is affected

References

Problem Types

CWE-749: Exposed Dangerous Method or Function CWE

CVE-2026-49993 PUBLISHED

@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)

Metrics

Product Status

References

Problem Types