(Almost) Arbitary File Read on Development Server in nuxt/nuxt


Reported on

Apr 18th 2023


I previously disclosed an arbitrary file read due to Vite misconfiguration. This is a similar vulnerability with less impact.

Proof of Concept

Start any nuxt app in dev.

Browse to:

  • http://localhost:3000/__nuxt_vite_node__/module/C:/Windows/System32/calc.exe
  • http://localhost:3000/__nuxt_vite_node__/module//bin/passwd

Observe content of the file is leaked.


Not exactly certain how this works but only seems to work for binary files or sometimes files with tabs (but I couldn't always reproduce this). Some file extensions don't work. For these reasons I gave confidentiality: Low Only works when server is running in dev.


Read almost any file on the file system when using the development server. Great primitive for detecting installed software as reading binaries is easy.

Can leak runtime config easily with this, but it's unlikely to contain anything important on dev (hopefully).

The bug seems to exist within pretty much every version of nuxt from RC-8, but seems to fail on the Majority of Vite versions rather than leak the content in the error.

We are processing your report and will contact the nuxt team within 24 hours. a month ago
We have contacted a member of the nuxt team and are waiting to hear back a month ago
OhB00 modified the report
a month ago
Daniel Roe validated this vulnerability a month ago
OhB00 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Anthony Fu marked this as fixed in 3.4.2 with commit 886350 a month ago
Anthony Fu has been awarded the fix bounty
This vulnerability will not receive a CVE
Anthony Fu published this vulnerability a month ago
to join this conversation