MEDIUM · CVSS 6.1
CVE-2024-47178 — Nuxt devtools prototype pollution
Nuxt devtools had a prototype-pollution in its dev-mode route handler that could escalate to RCE on the developer's machine when the dev server was exposed.
Affects
- nuxt-devtools < 1.5.1
What an attacker does
A developer runs Nuxt dev server exposed to LAN or the internet (e.g., with `--host`). An attacker on the network pollutes the object prototype via a crafted request; subsequent devtools operations execute attacker code.
How to detect
Check package.json for nuxt-devtools version.
How to fix
Upgrade nuxt-devtools. Never expose the Nuxt dev server.
How Securie catches it
Securie flags vulnerable nuxt-devtools + warns on dev-server network exposure.