GHSA-534h-c3cw-v3h9: Local Information Disclosure via Abstract-Namespace Socket in Nuxt Dev Server

On Linux platforms running Node.js 20+, the Nuxt development framework utilizes an internal Inter-Process Communication (IPC) socket server to facilitate module loading between Vite and the Node.js runtime.

In vulnerable versions of Nuxt (4.0.0 to 4.4.6, and 3.18.0 to 3.21.6), this internal IPC server binds directly to a Linux abstract-namespace Unix socket rather than a traditional file-based socket.

Because abstract-namespace sockets lack filesystem inodes, they completely bypass traditional file and directory permission controls, enabling any unprivileged local user on the host system to discover and connect to the socket directly.

Once connected, the local attacker gains access to the fully exposed Vite-Node server endpoints without any secondary authentication or authorization checks.

The root cause of this vulnerability lies in the design of Linux abstract-namespace Unix sockets and how Node.js treats them when prefixed with a null byte (\0).

Traditional Unix domain sockets are represented as nodes on the filesystem, allowing administrators to restrict access using standard discretionary access controls (DAC) such as chmod 0700 or owner permissions.

Conversely, abstract sockets reside purely within the kernel's network namespace and have no filesystem representation, meaning file-level permissions do not apply to them.

Any process in the same network namespace can query /proc/net/unix to identify the socket's unique identifier and open a stream connection to it.

Because the internal createViteNodeSocketServer listening function performed no authorization checks (such as verifying the peer process owner UID or validating a token), the socket was left completely open to all co-resident users.

The original implementation of generateSocketPath in packages/vite/src/plugins/vite-node.ts generated a path starting with a null byte for Linux systems.

// Vulnerable Code Path
if (process.platform === 'linux') {
  const nodeMajor = Number.parseInt(process.versions.node.split('.')[0]!, 10)
  if (nodeMajor >= 20 && provider !== 'stackblitz') {
    // ... checks for Docker omitted ...
    if (!isDocker) {
      return `\\0${socketName}.sock` // Null byte triggers abstract socket
    }
  }
}

The patch resolved this exposure by removing the abstract socket logic entirely and enforcing a secure, permission-restricted directory pattern.

// Patched Code Path (v4)
export function pickSocketPath (platform: NodeJS.Platform): SocketPathInfo {
  const uniqueSuffix = `${process.pid}-${Date.now()}`
  const socketName = `nuxt-vite-node-${uniqueSuffix}`
 
  if (platform === 'win32') {
    return { socketPath: join(String.raw`\\\\.\\pipe`, socketName) }
  }
 
  // Enforce secure 0700 directory permissions
  const parentDir = fs.mkdtempSync(join(os.tmpdir(), 'nuxt-vite-node-'))
  fs.chmodSync(parentDir, 0o700)
  return { socketPath: join(parentDir, `${socketName}.sock`), parentDir }
}

Additionally, to close the window between directory creation and socket binding, the patch wraps socket listener instantiation in a strict umask boundary:

// Secure Socket Listening
const previousUmask = process.umask(0o077)
try {
  server.listen(socketPath, () => {
    try {
      fs.chmodSync(socketPath, 0o600)
    } catch (error) {
      server.close()
    }
  })
} finally {
  process.umask(previousUmask)
}

An attacker on a multi-tenant Linux server or workstation can locate active Nuxt dev instances and query files through the exposed IPC server.

First, the attacker enumerates active abstract sockets by reading /proc/net/unix.

grep -o -E "nuxt-vite-node-[0-9\-]+\.sock" /proc/net/unix

Once the target socket ID is obtained, the attacker uses Netcat with the -U flag (and the @ prefix signifying an abstract socket path) to establish a raw TCP-like stream connection.

c -U "@nuxt-vite-node-[PID]-[TIMESTAMP].sock"

Finally, the attacker issues a raw JSON instruction to fetch a module, instructing the server to resolve a local path bypassing Vite's server.fs.allow configuration.

{
  "id": 1,
  "type": "module",
  "moduleId": "/home/developer/app/.env?raw"
}

The server responds directly with the content of the target file, facilitating arbitrary local file reading with the permissions of the developer process.

The security impact of GHSA-534h-c3cw-v3h9 is rated as Medium (CVSS 5.5) due to the prerequisite of local system access, but the consequences can be significant.

If the development environment is run on shared infrastructure, such as multi-user workstations, academic labs, bastion servers, or shared development servers, any unprivileged system user can leverage this vulnerability.

By accessing the IPC interface, the attacker bypasses Vite's browser-oriented cross-origin and directory traversal restrictions.

This permits the reading of database passwords, API tokens, local SSH private keys, and application source code, resulting in complete local confidential information disclosure.

The primary defensive mitigation is to update to the patched releases: Nuxt 4.4.7 or 3.21.7.

In environments where upgrading dependencies is not immediately feasible, developers can isolate their dev environment using standard Linux containers.

# Run Nuxt dev in a rootless container to isolate namespaces
docker run --rm -it -v $(pwd):/src -w /src node:20 npm run dev

System administrators can detect potential exploitation attempts by auditing /proc filesystem accesses or using system call tracing (such as sysdig or auditd) to monitor unauthorized processes establishing Unix socket connections containing the nuxt-vite-node pattern.