AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-534h-c3cw-v3h9: Nuxt dev server vite-node IPC socket is world-connectable on Linux

mediumvulnerability

security

Source: GitHub Advisory DatabaseJune 16, 2026

Summary

When developers run `nuxt dev` on Linux with Node.js 20+, Nuxt creates an IPC server (a communication channel for internal processes) using an abstract-namespace Unix socket (a type of connection with no file permissions). Any other user on the same machine can connect to this socket and request sensitive files like `.env` or SSH keys, exposing the developer's secrets. This only affects shared Linux machines and does not impact production builds, macOS, Windows, or containerized environments.

Solution / Mitigation

Fixed in `nuxt@4.4.7` and backported to `nuxt@3.21.7`. The fix removes the abstract-namespace socket entirely and instead uses a filesystem Unix socket under the OS temp directory with `chmod 0600` permissions (restricting access to only the owner). If the permission-setting fails, the server closes rather than running on an unrestricted channel. Alternatively, if you cannot upgrade immediately, run `nuxt dev` inside a container or VM with no other users, use a single-user namespace (`unshare -U`), or restrict visibility of `/proc/net/unix` via `hidepid=2` mount options (though this is only partial mitigation).

Classification

Attack SophisticationModerate

Affected Packages

nuxt@>= 3.18.0, < 3.21.7 (fixed: 3.21.7)nuxt@>= 4.0.0, < 4.4.7 (fixed: 4.4.7)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-534h-c3cw-v3h9

First tracked: June 16, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%