(Almost) Arbitary File Read on Development Server in nuxt/nuxt
Apr 18th 2023
I previously disclosed an arbitrary file read due to Vite misconfiguration. This is a similar vulnerability with less impact.
Proof of Concept
Start any nuxt app in dev.
Observe content of the file is leaked.
Not exactly certain how this works but only seems to work for binary files or sometimes files with tabs (but I couldn't always reproduce this). Some file extensions don't work. For these reasons I gave confidentiality: Low Only works when server is running in dev.
Read almost any file on the file system when using the development server. Great primitive for detecting installed software as reading binaries is easy.
Can leak runtime config easily with this, but it's unlikely to contain anything important on dev (hopefully).
The bug seems to exist within pretty much every version of nuxt from RC-8, but seems to fail on the Majority of Vite versions rather than leak the content in the error.