Scan free
MEDIUMCVE-2025-52662CVSS 6.9

CVE-2025-52662: XSS in Nuxt Devtools

Platform

nuxt

Component

@nuxt/devtools

Fixed in

2.6.4

View on NVD
Save

CVE-2025-52662 describes a cross-site scripting (XSS) vulnerability discovered in Nuxt Devtools. This flaw could potentially allow an attacker to extract Nuxt authentication tokens under specific configurations. The vulnerability impacts versions 2.6.3–2.6.3 of Nuxt Devtools, and a fix is available in version 2.6.4.

Impact and Attack Scenarios

Successful exploitation of this XSS vulnerability could lead to the unauthorized extraction of Nuxt authentication tokens. These tokens grant access to sensitive data and functionalities within the Nuxt.js application. An attacker could leverage these tokens to impersonate legitimate users, access restricted resources, and potentially compromise the entire application. The impact is particularly severe for applications relying on Nuxt Devtools for debugging and development workflows, as attackers could inject malicious scripts during development or testing phases.

Exploitation Context

CVE-2025-52662 was published on 2025-11-07. The vulnerability's impact is considered Medium, with a CVSS score of 6.9. No public proof-of-concept exploits are currently known, and there are no reports of active campaigns targeting this vulnerability. Refer to the official Nuxt.js advisory for more details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.04% (13% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N6.9MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Component@nuxt/devtools
VendorVercel
Minimum version2.6.3
Maximum version2.6.3
Fixed in2.6.4

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-52662 is to immediately upgrade Nuxt Devtools to version 2.6.4 or later. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily disabling or restricting access to Nuxt Devtools in production environments. While a direct WAF rule is unlikely to be effective against this XSS, carefully reviewing and sanitizing all user inputs within the Nuxt.js application remains a crucial defense-in-depth measure. After upgrading, verify the fix by attempting to trigger the vulnerable functionality and confirming that the authentication token is not exposed.

How to fix

Actualice Nuxt Devtools a la versión 2.6.4 o superior. Esto solucionará la vulnerabilidad XSS que permite la extracción de tokens de autenticación. Puede actualizar el paquete utilizando npm o yarn.

Frequently asked questions

What is CVE-2025-52662 — XSS in Nuxt Devtools?

CVE-2025-52662 is a cross-site scripting (XSS) vulnerability affecting Nuxt Devtools versions 2.6.3–2.6.3. It allows potential extraction of Nuxt auth tokens under specific configurations.

Am I affected by CVE-2025-52662 in Nuxt Devtools?

If you are using Nuxt Devtools version 2.6.3–2.6.3, you are potentially affected. Upgrade to version 2.6.4 or later to mitigate the risk.

How do I fix CVE-2025-52662 in Nuxt Devtools?

The recommended fix is to upgrade Nuxt Devtools to version 2.6.4 or a later version. If upgrading is not immediately possible, consider temporarily restricting access to Nuxt Devtools.

Is CVE-2025-52662 being actively exploited?

As of the current assessment, there are no reports of active exploitation campaigns targeting CVE-2025-52662, but vigilance is still advised.

Where can I find the official Nuxt Devtools advisory for CVE-2025-52662?

You can find the official advisory and more details on the Nuxt.js changelog: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...