build(deps): update devdependency @nuxt/devtools to ~1.3.0 [security] #45
+1,163
−1,910
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
~1.1.0
->~1.3.0
GitHub Vulnerability Alerts
CVE-2024-23657
Summary
Nuxt Devtools is missing authentication on the
getTextAssetContent
RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker is able to interact with a locally running devtools instance and exfiltrate data abusing this vulnerability.In certain configurations an attacker could leak the devtools authentication token and then abuse other RPC functions to achieve RCE.
Details
The
getTextAssetContent
function does not check for path traversals (source), this could allow an attacker to read arbitrary files over the RPC WebSocket.The WebSocket server does not check the origin of the request (source) leading to CSWSH. This may be intentional to allow certain configurations to work correctly.
Nuxt Devtools authentication tokens are placed within the home directory of the current user (source).
In the scenario that:
The malicious webpage can connect to the Devtools WebSocket, perform a directory traversal brute force to find the authentication token, then use the authenticated
writeStaticAssets
function to create a new Component, Nitro Handler orapp.vue
file which will run automatically as the file is changed.PoC
POC will exploit the Devtools server on localhost:3000 (you may need to manually restart the server as the restart hook does not always work).
POC: https://devtools-exploit.pages.dev
pnpm run dev
.The POC will:
Impact
Release Notes
nuxt/devtools (@nuxt/devtools)
v1.3.9
Compare Source
Bug Fixes
client.revision
to trigger state editor update (418a22e)ofetch
forfast-npm-meta
(4188f8d)v1.3.8
Compare Source
Performance Improvements
npm-registry-fetch
, save install size (3d74691)v1.3.7
Compare Source
Bug Fixes
Features
Performance Improvements
npm-registry-fetch
instead ofpacote
to deduce the package size (a049c52)v1.3.6
Compare Source
Features
v1.3.5
Compare Source
Bug Fixes
v1.3.4
Compare Source
Bug Fixes
v1.3.3
Compare Source
Bug Fixes
@vue/devtools-*
(4c79fac)v1.3.2
Compare Source
Bug Fixes
v1.3.1
Compare Source
Bug Fixes
v1.3.0
Compare Source
Bug Fixes
vite-plugin-vue-inspector
, fix #657 (f67f0f2)Features
v1.2.0
Compare Source
Bug Fixes
builder:watch
(#637) (800d71f)import.meta.*
properties (#635) (ce60ab4)1.1.5 (2024-03-28)
Features
@vue/devtools-applet
, fix #640 (cbb711d)1.1.4 (2024-03-26)
Bug Fixes
1.1.3 (2024-03-21)
Bug Fixes
1.1.2 (2024-03-21)
Bug Fixes
Features
1.1.1 (2024-03-20)
Bug Fixes
v1.1.5
Compare Source
Features
@vue/devtools-applet
, fix #640 (cbb711d)v1.1.4
Compare Source
Bug Fixes
v1.1.3
Compare Source
Bug Fixes
v1.1.2
Compare Source
Bug Fixes
Features
v1.1.1
Compare Source
Bug Fixes
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.