(Almost) Arbitary File Read on Development Server in nuxt/nuxt

Valid

Reported on

Apr 18th 2023


Description

I previously disclosed an arbitrary file read due to Vite misconfiguration. This is a similar vulnerability with less impact.

Proof of Concept

Start any nuxt app in dev.

Browse to:

  • http://localhost:3000/__nuxt_vite_node__/module/C:/Windows/System32/calc.exe
  • http://localhost:3000/__nuxt_vite_node__/module//bin/passwd

Observe content of the file is leaked.

Notes

Not exactly certain how this works but only seems to work for binary files or sometimes files with tabs (but I couldn't always reproduce this). Some file extensions don't work. For these reasons I gave confidentiality: Low Only works when server is running in dev.

Impact

Read almost any file on the file system when using the development server. Great primitive for detecting installed software as reading binaries is easy.

Can leak runtime config easily with this, but it's unlikely to contain anything important on dev (hopefully).

The bug seems to exist within pretty much every version of nuxt from RC-8, but seems to fail on the Majority of Vite versions rather than leak the content in the error.

We are processing your report and will contact the nuxt team within 24 hours. 10 months ago
We have contacted a member of the nuxt team and are waiting to hear back 10 months ago
OhB00 modified the report
10 months ago
Daniel Roe validated this vulnerability 10 months ago
ohb00 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Anthony Fu marked this as fixed in 3.4.2 with commit 886350 10 months ago
Anthony Fu has been awarded the fix bounty
This vulnerability has now been published 10 months ago
Am
6 months ago

@admin @maintainer Hi, It would be great if you publish a CVE for this, I wrote a Codeql query to detect this pattern so anyone in open source community can use this to detect whether their repositories are vulnerable or not but first I need a CVE to submit my query. Also thanks a lot to @OhB00 for finding this nice vulnerability.

to join this conversation