chore(deps): update pnpm.catalog.default nuxt to v4.4.7 [security]#816
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update pnpm.catalog.default nuxt to v4.4.7 [security]#816renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
commit: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.4.6→4.4.7Nuxt: Dev server discloses project absolute path and persistent workspace UUID via
/.well-known/appspecific/com.chrome.devtools.jsonGHSA-rq7w-g337-39qq
More information
Details
Summary
When running
nuxt dev, Nuxt registers an unauthenticated route at/.well-known/appspecific/com.chrome.devtools.jsonthat returns the absolute filesystem path of the project root and a per-project UUID persisted tonode_modules/.cache/nuxt/chrome-workspace.json. The route is enabled by default viaexperimental.chromeDevtoolsProjectSettings: true.The endpoint exists to let Chrome DevTools' Workspace integration map sources to the developer's local checkout. The handler is registered directly on
nitro.options.devHandlersand does not pass through the CORS / origin wrapper that the rest of the dev pipeline uses, so it has no host / origin /Sec-Fetch-Sitecheck of its own.Impact
Dev-server only. Production builds do not register the route.
Two values are disclosed:
workspace.root: the absolute filesystem path of the project (commonly reveals the OS username and the on-disk project name).workspace.uuid: a v4 UUID persisted tonode_modules/.cache/nuxt/chrome-workspace.json, stable across dev-server restarts and re-clones.Threat model
The response carries no
Access-Control-Allow-Originheader. A cross-originfetch()from an arbitrary malicious page is therefore blocked by the browser's same-origin policy and cannot read the body. The two realistic recovery paths are:nuxt dev --host(or otherwise binds to a non-loopback interface). A plaincurl http://<dev-lan-ip>:3000/.well-known/appspecific/com.chrome.devtools.jsonreturns the JSON; no browser, no CORS.127.0.0.1after the TTL; the browser believes the request is same-origin and reads the response.Affected versions
nuxt@4.0.0-alpha.1(PR #32084) throughnuxt@4.4.6.3.xis not affected.Reproduction
npx nuxt dev curl -s http://localhost:3000/.well-known/appspecific/com.chrome.devtools.json ##### {"workspace":{"uuid":"...","root":"/Users/<name>/..."}}Workaround
Set
experimental: { chromeDevtoolsProjectSettings: false }innuxt.config.ts. Chrome DevTools' Workspace auto-integration will stop working; the dev server is otherwise unaffected.Patches
Fixed in
nuxt@4.4.7by #35201 (commit55c75b78). The handler is now routed through the same host / origin gate the rest of the dev server uses, so the endpoint only responds to requests that look local.Severity
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
nuxt/nuxt (nuxt)
v4.4.7Compare Source
👉 make sure to check https://github.com/nuxt/nuxt/security/advisories to view open advisories resolved by this release.
👉 Changelog
compare changes
🩹 Fixes
noSSRbefore deciding payload extraction (#35108)allowDirs(#35112)pathefor buildCache path boundary check (#35111)isValidin dev clipboard-copy listener (#35109)reloadNuxtApppath before reload (#35115)getCachedDataafter initial fetch (#35122)useFetch/useAsyncDatafactory types (#35133)isScriptProtocolguard tonavigateToopen option (#35206)<NuxtPage>(#35198)<NuxtClientFallback>ssr output (#35199).d.mts/.d.ctsinresolveTypePaths(#35235)<NoScript>slot content (4b054e9d9)vue-router(07e39cd6f)<NuxtLink>href (0103ce06f)navigateTo(2cce6fb02)reloadNuxtApp(e447a793c)💅 Refactors
es2023array methods (#34980)runInNewContextwith AST walker (d72a89ef4)📖 Documentation
🏡 Chore
execFileSyncfor safety in release scripts (1d7baaf01)✅ Tests
🤖 CI
❤️ Contributors
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.