Dev mode Path traversal in nuxt/framework


Reported on

Oct 27th 2022


Vite is misconfigured within nuxt to permit any file to be retrieved from the file system.

Root Cause

Vite configuration has strict set to false.



  • Server must be running in developer mode

Vulnerability can be exploited using paths like the following /_nuxt/@fs/etc/passwd

Proof of Concept

Deploy default playground, http://server/_nuxt/@fs/etc/passwd


This vulnerability permits arbitrary file reads while the dev server is running.

This can provide a wide range of sensitive information on the target server depending on configuration.

Dev mode servers exposed to the internet are a occurrence, Shodan reveals about 100 deployments that would likely be vulnerable in this case.


Strict set to false

We are processing your report and will contact the nuxt/framework team within 24 hours. 5 months ago
We have contacted a member of the nuxt/framework team and are waiting to hear back 5 months ago
5 months ago


Same issue in bridge

We have sent a follow up to the nuxt/framework team. We will try again in 7 days. 5 months ago
pooya parsa
5 months ago

PR landed to enable vite fs strict mode:

pooya parsa
5 months ago

/cc @danielroe about bridge

We have sent a second follow up to the nuxt/framework team. We will try again in 10 days. 4 months ago
4 months ago


Looks fixed to me, should probably hold off publishing this until bridge is fixed.

We have sent a third and final follow up to the nuxt/framework team. This report is now considered stale. 4 months ago
3 months ago


Seems fixed

pooya parsa validated this vulnerability a month ago
OhB00 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Daniel Roe marked this as fixed in 3.0.0-rc.13 with commit 44b410 a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
vite.ts#L67 has been validated
Daniel Roe published this vulnerability a month ago
to join this conversation