(Almost) Arbitary File Read on Development Server in nuxt/nuxt

Valid

Reported on

Apr 18th 2023

Description

I previously disclosed an arbitrary file read due to Vite misconfiguration. This is a similar vulnerability with less impact.

Proof of Concept

Start any nuxt app in dev.

Browse to:

http://localhost:3000/__nuxt_vite_node__/module/C:/Windows/System32/calc.exe
http://localhost:3000/__nuxt_vite_node__/module//bin/passwd

Observe content of the file is leaked.

Notes

Not exactly certain how this works but only seems to work for binary files or sometimes files with tabs (but I couldn't always reproduce this). Some file extensions don't work. For these reasons I gave confidentiality: Low Only works when server is running in dev.

Impact

Read almost any file on the file system when using the development server. Great primitive for detecting installed software as reading binaries is easy.

Can leak runtime config easily with this, but it's unlikely to contain anything important on dev (hopefully).

The bug seems to exist within pretty much every version of nuxt from RC-8, but seems to fail on the Majority of Vite versions rather than leak the content in the error.

We are processing your report and will contact the nuxt team within 24 hours. a month ago

We have contacted a member of the nuxt team and are waiting to hear back a month ago

OhB00 modified the report

a month ago

Daniel Roe validated this vulnerability a month ago

OhB00 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Anthony Fu marked this as fixed in 3.4.2 with commit 886350 a month ago

Anthony Fu has been awarded the fix bounty

This vulnerability will not receive a CVE

Anthony Fu published this vulnerability a month ago

to join this conversation