CVE-2025-24360

### Summary Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. ### Details While Vite patched the default CORS settings to fix https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6, nuxt uses its own CORS handler by default (https://github.com/nuxt/nuxt/pull/23995). https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263 That CORS handler sets `Access-Control-Allow-Origin: *`. > [!IMPORTANT] > If on an affected version, it may be possible to opt-out of the default Nuxt CORS handler by configuring `vite.server.cors`. ### PoC 1. Start a dev server in any nuxt project using Vite by `nuxt dev`. 2. Send a fetch request to `http://localhost:3000/_nuxt/app.vue` (`fetch('http://localhost:3000/_nuxt/app.vue')`) from a different origin page. ### Impact Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites ### Additional Information `/__nuxt_vite_node__/manifest` / `/__nuxt_vite_node__/module` also seems to have `Access-Control-Allow-Origin: *`, so it maybe also possible to exploit that handler. https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39 Although I didn't find a valid module id. Note that this handler is probably also vulnerable to DNS rebinding attacks as I didn't find any host header checks.