Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Nuxt - Arbitrary File Read via World-Connectable vite-node IPC Socket on Linux
Vulnerability Description
Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit the unprotected module request handler to read arbitrary files such as .env and SSH keys through the SSR plugin pipeline. Production builds are unaffected, as the IPC server runs only in development.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
缺省权限不正确
Vulnerability Title
Nuxt 权限许可和访问控制问题漏洞
Vulnerability Description
Nuxt是Nuxt团队开源的一个免费的开源框架。 Nuxt 4.4.7之前版本和3.21.7之前版本存在权限许可和访问控制问题漏洞,该漏洞源于在Linux上运行开发服务器时,将vite-node IPC服务器绑定到抽象命名空间Unix套接字且未设置权限限制,可能导致本地用户枚举和连接,低权限用户可利用未受保护的模块请求处理器通过SSR插件管道读取任意文件。
CVSS Information
N/A
Vulnerability Type
N/A