Frontend frameworks vulnerabilities

Recent months have seen a surge in security vulnerabilities affecting popular frontend frameworks. Here are some notable examples:

Eclipse on Next.js - Conditioned exploitation of an intended race-condition.

Next.js Authorization Bypass - Next.js and the corrupt middleware: the authorizing artifact.

Even more Next.js security vulnerabilities disclosed include the following two reports: 1, 2, all by Rachid.A (zhero), security researcher.

Nuxt, not immune of vulnerabilities, either - Nuxt, show me your payload - a basic CP DoS.

React-Router vulnerability - Pre-render data spoofing + CPDoS. This one sheds light on CVEs without much written context yet, but it follows a former React Router + Remix vulnerability disclosure.

Vite dev server found vulnerable - Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. Patched versions are already available so upgrade.

🔮 Node.js Tip of the Week

Node.js Tip of the Week: Sweet new permission model DX improvement providing an explicit allow-fs-read to app entrypoint. Thank you Rafael and Erick! ❤️

❗ New Security Vulnerabilities

• vuetify found vulnerable to CVE-2025-1461 Cross-site Scripting, 28 May 2025
• next found vulnerable to CVE-2025-48068 Missing Origin Validation in WebSockets, 29 May 2025