Cette page n'a pas encore été traduite dans votre langue. Affichage du contenu en anglais pendant que nous y travaillons.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2025-52662: XSS in Nuxt Devtools
traduction en cours…Plateforme
nuxt
Composant
@nuxt/devtools
Corrigé dans
2.6.4
CVE-2025-52662 describes a cross-site scripting (XSS) vulnerability discovered in Nuxt Devtools. This flaw could potentially allow an attacker to extract Nuxt authentication tokens under specific configurations. The vulnerability impacts versions 2.6.3–2.6.3 of Nuxt Devtools, and a fix is available in version 2.6.4.
Impact et Scénarios d'Attaquetraduction en cours…
Successful exploitation of this XSS vulnerability could lead to the unauthorized extraction of Nuxt authentication tokens. These tokens grant access to sensitive data and functionalities within the Nuxt.js application. An attacker could leverage these tokens to impersonate legitimate users, access restricted resources, and potentially compromise the entire application. The impact is particularly severe for applications relying on Nuxt Devtools for debugging and development workflows, as attackers could inject malicious scripts during development or testing phases.
Contexte d'Exploitationtraduction en cours…
CVE-2025-52662 was published on 2025-11-07. The vulnerability's impact is considered Medium, with a CVSS score of 6.9. No public proof-of-concept exploits are currently known, and there are no reports of active campaigns targeting this vulnerability. Refer to the official Nuxt.js advisory for more details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools.
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.04% (percentile 13%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Élevée — nécessite une condition de course, configuration non standard ou circonstances spécifiques.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
- Scope
- Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
- Confidentiality
- Faible — accès partiel ou indirect à certaines données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Aucun — aucun impact sur la disponibilité.
Logiciel Affecté
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2025-52662 is to immediately upgrade Nuxt Devtools to version 2.6.4 or later. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily disabling or restricting access to Nuxt Devtools in production environments. While a direct WAF rule is unlikely to be effective against this XSS, carefully reviewing and sanitizing all user inputs within the Nuxt.js application remains a crucial defense-in-depth measure. After upgrading, verify the fix by attempting to trigger the vulnerable functionality and confirming that the authentication token is not exposed.
Comment corrigertraduction en cours…
Actualice Nuxt Devtools a la versión 2.6.4 o superior. Esto solucionará la vulnerabilidad XSS que permite la extracción de tokens de autenticación. Puede actualizar el paquete utilizando npm o yarn.
Questions fréquentestraduction en cours…
What is CVE-2025-52662 — XSS in Nuxt Devtools?
CVE-2025-52662 is a cross-site scripting (XSS) vulnerability affecting Nuxt Devtools versions 2.6.3–2.6.3. It allows potential extraction of Nuxt auth tokens under specific configurations.
Am I affected by CVE-2025-52662 in Nuxt Devtools?
If you are using Nuxt Devtools version 2.6.3–2.6.3, you are potentially affected. Upgrade to version 2.6.4 or later to mitigate the risk.
How do I fix CVE-2025-52662 in Nuxt Devtools?
The recommended fix is to upgrade Nuxt Devtools to version 2.6.4 or a later version. If upgrading is not immediately possible, consider temporarily restricting access to Nuxt Devtools.
Is CVE-2025-52662 being actively exploited?
As of the current assessment, there are no reports of active exploitation campaigns targeting CVE-2025-52662, but vigilance is still advised.
Where can I find the official Nuxt Devtools advisory for CVE-2025-52662?
You can find the official advisory and more details on the Nuxt.js changelog: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Essayez maintenant — sans compte
scanZone.subtitle
Glissez-déposez votre fichier de dépendances
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...