A medium-severity security vulnerability in Nuxt DevTools was responsibly disclosed, and has been fixed for version 2.6.4. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations.
Nuxt DevTools users are encouraged to upgrade to the latest version. Read more details below.
Link to headingSummary
A vulnerability chain in Nuxt DevTools allows remote code execution in development environments through a combination of cross-site scripting (XSS), authentication token exfiltration, and path traversal.
Link to headingImpact
The vulnerability exists in the DevTools authentication page where error messages are rendered without proper sanitization, enabling DOM-based XSS. An attacker can exploit this to steal authentication tokens and leverage a path traversal vulnerability in the WebSocket message handler to write arbitrary files outside the intended directory, leading to remote code execution when configuration files are overwritten.
Link to headingResolution
The XSS was resolved by displaying errors as textContent instead of innterHTML in:
Nuxt DevTools 2.6.4
Link to headingWorkarounds
Avoid publicly exposing Nuxt DevTools or running Nuxt in production using Dev mode
Link to headingCredit
Thanks to @yuske for responsible disclosure.