Nuxt Dev Server IPC Socket Permission Bypass (GHSA-5gvc-46gq-948j) -DC-Jun2026-458

Listen to this Post

How the CVE Works

When `nuxt dev` runs on Linux with Node.js 20+ (outside Docker or StackBlitz), Nuxt’s internal Vite‑Node IPC server binds to an abstract‑namespace Unix socket – a socket that lives only in memory and has no filesystem inode or permission bits. The socket path follows the pattern \0nuxt-vite-node-<pid>-<ts>.sock.
Because abstract sockets lack traditional UNIX permission controls, any local user who can read `/proc/net/unix` can discover the socket name and connect to it. The IPC server does not perform any peer‑credential checks (e.g., SO_PEERCRED) or require a shared secret before processing requests.

Two request types are especially dangerous:

– `module` – accepts a `moduleId` field that is passed directly to Vite’s ssrFetchModule(). This function is not subject to Vite’s HTTP‑layer `server.fs.allow` deny‑list, so it will read any file on the filesystem that the dev process can access.
– `resolve` – allows filesystem path probing, which can be used to map out the project structure.
An unprivileged local attacker can therefore request paths like:

/home/<dev>/project/.env?raw
~/.ssh/id_rsa?raw

and receive the raw contents of those files through the dev server’s SSR plugin pipeline.
This vulnerability only affects development environments (nuxt dev). Production builds (nuxt build / nuxt start) are not impacted because the IPC server does not run. It also does not affect macOS, Windows, Docker, StackBlitz, single‑user laptops, or per‑job containerised CI runners.
The issue is fixed in [email protected] (commit 1f9f4767) and backported to [email protected] (commit c293bf95). The patch removes the abstract‑namespace branch entirely, forcing the IPC server to bind to a filesystem socket under the OS temp directory with `chmod 0600` applied after listen(). If the `chmod` fails, the server shuts down rather than serving requests on an insecure channel.

DailyCVE Form

Platform: Nuxt.js
Version: <3.21.7, <4.4.7
Vulnerability: IPC Socket Permission Bypass
Severity: Medium
date: 2026-06-02
Prediction: Already Patched

What Undercode Say

Analytics

  • Affected versions: Nuxt 3.x < 3.21.7 and 4.x < 4.4.7
  • Attack vector: Local (requires co‑resident unprivileged user on the same Linux host)
  • Exploitable conditions: `nuxt dev` running, abstract‑namespace socket active, no peer‑credential checks
  • Potential data exposed: `.env` files, SSH private keys, application source code, configuration files
  • CVSS v3 base score (estimated): 5.5 (Medium) – AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Bash Commands & Codes

1. Enumerate active abstract sockets (look for \0nuxt-vite-node-.sock)
cat /proc/net/unix | grep 'nuxt-vite-node'
2. Connect to the discovered socket and send a 'module' request to read a file
(replace SOCKET_PATH with the actual abstract socket name, e.g. @nuxt-vite-node-1234-5678.sock)
printf '{"type":"module","moduleId":"/home/dev/project/.env?raw"}\n' | socat - ABSTRACT-CONNECT:SOCKET_PATH
3. For filesystem probing via 'resolve' request
printf '{"type":"resolve","path":"/etc/passwd"}\n' | socat - ABSTRACT-CONNECT:SOCKET_PATH

Exploit

A local attacker with low privileges can:

  1. Read `/proc/net/unix` to obtain the abstract socket name (e.g., @nuxt-vite-node-1234-5678.sock).
  2. Connect to that socket using a tool like `socat` or a custom script.
  3. Send a JSON‑formatted `module` request with a `moduleId` pointing to a sensitive file (e.g., .env, ~/.ssh/id_rsa).
  4. Receive the file contents in the server’s response, exfiltrating secrets or source code.
    Because the IPC server does not validate the caller’s UID or require any authentication, this attack works without special privileges beyond being able to connect to a local socket.

Protection

  • Immediate upgrade to [email protected] or [email protected] (the fix is backported).
  • If upgrade is not possible, apply one of these workarounds:
  • Run `nuxt dev` inside a container or VM with no other tenants (Docker already falls back to a filesystem socket in vulnerable versions).
  • Bind the dev process to a single‑user namespace using `unshare -U` (rootless containers).
  • Restrict visibility of `/proc/net/unix` with `hidepid=2` mount option (this is only a partial mitigation).
  • Verify that the IPC socket is now a filesystem socket with `0600` permissions after upgrading.

Impact

Confidentiality breach – an attacker can read any file accessible by the user running nuxt dev, including:
– Environment variables (.env) containing API keys, database credentials, and cloud secrets.
– SSH private keys (~/.ssh/id_rsa), enabling lateral movement or privilege escalation.
– Application source code and configuration files, exposing business logic and internal endpoints.
Integrity and availability are not directly affected, but the exposed credentials can lead to further attacks on production systems. The vulnerability is local and requires a multi‑tenant Linux environment (shared lab machines, bastion hosts, or CI runners without isolation) to be exploitable. Single‑user systems are not at risk.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top