CVE-2025-24361
Opening a malicious website while running a Nuxt dev server could allow read-only access to codeNuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue.
We have discovered 1 live websites that are affected by CVE-2025-24361.
Affected Software
| Product |  Nuxt.js |
| Category | Web Application Frameworks |
| Vulnerable Domains | 1 live websites (100% of Nuxt.js install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 0 versions ( less than 0.1% of all versions) |
Common Weakness Enumeration
CWE-749 Exposed Dangerous Method or FunctionDetails
- Published - Jan 25, 2025
- Updated - Feb 12, 2025
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-24361 United States | 1 websites |
Website Distribution by TLD
Number of websites using CVE-2025-24361| .com | 1 websites |
Websites affected by CVE-2025-24361
Top websites that are affected by CVE-2025-24361. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.*********.com | United States | **,***,*** |
FAQ
CVE-2025-24361 is Exposed Dangerous Method or Function in Nuxt.js
A total of 1 websites have been identified as vulnerable to CVE-2025-24361, based on global website indexing conducted by WebTechSurvey.
The Nuxt.js is affected by the CVE-2025-24361 vulnerability.
Nuxt.js versions up to 3.15.3 are vulnerable to CVE-2025-24361.
CVE-2025-24361 is resolved in version 3.15.3 of Nuxt.js.