此页面尚未翻译为您的语言。我们正在努力翻译,目前显示英文内容。
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2025-52662 describes a cross-site scripting (XSS) vulnerability discovered in Nuxt Devtools. This flaw could potentially allow an attacker to extract Nuxt authentication tokens under specific configurations. The vulnerability impacts versions 2.6.3–2.6.3 of Nuxt Devtools, and a fix is available in version 2.6.4.
影响与攻击场景翻译中…
Successful exploitation of this XSS vulnerability could lead to the unauthorized extraction of Nuxt authentication tokens. These tokens grant access to sensitive data and functionalities within the Nuxt.js application. An attacker could leverage these tokens to impersonate legitimate users, access restricted resources, and potentially compromise the entire application. The impact is particularly severe for applications relying on Nuxt Devtools for debugging and development workflows, as attackers could inject malicious scripts during development or testing phases.
利用背景翻译中…
CVE-2025-52662 was published on 2025-11-07. The vulnerability's impact is considered Medium, with a CVSS score of 6.9. No public proof-of-concept exploits are currently known, and there are no reports of active campaigns targeting this vulnerability. Refer to the official Nuxt.js advisory for more details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools.
威胁情报
漏洞利用状态
EPSS
0.04% (13% 百分位)
CISA SSVC
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 高 — 需要竞态条件、非默认配置或特定情况。难以可靠利用。
- Privileges Required
- 无 — 无需认证,无需凭证即可利用。
- User Interaction
- 需要 — 受害者必须打开文件、点击链接或访问特制页面。
- Scope
- 已改变 — 攻击可以超出脆弱组件,影响其他系统。
- Confidentiality
- 低 — 可访问部分数据。
- Integrity
- 高 — 攻击者可写入、修改或删除任何数据。
- Availability
- 无 — 无可用性影响。
受影响的软件
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2025-52662 is to immediately upgrade Nuxt Devtools to version 2.6.4 or later. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily disabling or restricting access to Nuxt Devtools in production environments. While a direct WAF rule is unlikely to be effective against this XSS, carefully reviewing and sanitizing all user inputs within the Nuxt.js application remains a crucial defense-in-depth measure. After upgrading, verify the fix by attempting to trigger the vulnerable functionality and confirming that the authentication token is not exposed.
修复方法翻译中…
Actualice Nuxt Devtools a la versión 2.6.4 o superior. Esto solucionará la vulnerabilidad XSS que permite la extracción de tokens de autenticación. Puede actualizar el paquete utilizando npm o yarn.
常见问题翻译中…
What is CVE-2025-52662 — XSS in Nuxt Devtools?
CVE-2025-52662 is a cross-site scripting (XSS) vulnerability affecting Nuxt Devtools versions 2.6.3–2.6.3. It allows potential extraction of Nuxt auth tokens under specific configurations.
Am I affected by CVE-2025-52662 in Nuxt Devtools?
If you are using Nuxt Devtools version 2.6.3–2.6.3, you are potentially affected. Upgrade to version 2.6.4 or later to mitigate the risk.
How do I fix CVE-2025-52662 in Nuxt Devtools?
The recommended fix is to upgrade Nuxt Devtools to version 2.6.4 or a later version. If upgrading is not immediately possible, consider temporarily restricting access to Nuxt Devtools.
Is CVE-2025-52662 being actively exploited?
As of the current assessment, there are no reports of active exploitation campaigns targeting CVE-2025-52662, but vigilance is still advised.
Where can I find the official Nuxt Devtools advisory for CVE-2025-52662?
You can find the official advisory and more details on the Nuxt.js changelog: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools
立即试用 — 无需账户
上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...