js · nuxtHeads-up

Nuxt 4.0.0-alpha.1 to 4.4.6 Exposes Filesystem Path via Unauthenticated Route

Nuxt 4.0.0-alpha.1 through 4.4.6 registers an unauthenticated route at `/.well-known/appspecific/com.chrome.devtools.json` that exposes the absolute filesystem

16 Jun 2026Read 1 minSeverity: schedule it

What changed

Nuxt 4.0.0-alpha.1 through 4.4.6 registers an unauthenticated route at `/.well-known/appspecific/com.chrome.devtools.json` that exposes the absolute filesystem path and a per-project UUID. Fixed in 4.4.7.

Who it affects

Developers running `nuxt dev` with `experimental.chromeDevtoolsProjectSettings: true` (default) on Nuxt 4.0.0-alpha.1 to 4.4.6, especially those binding to non-loopback interfaces or vulnerable to DNS rebinding.

What to do today

Upgrade to [email protected] or set `experimental: { chromeDevtoolsProjectSettings: false }` in nuxt.config.ts.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · nuxt

Nuxt 4.0.0-alpha.1 to 4.4.6 Exposes Filesystem Path via Unauthenticated Route

What changed

Who it affects

What to do today

More on nuxt

@angular/core and @angular/compiler Security Advisory: Namespace Sanitization Bypass

@angular/compiler fails to sanitize two-way property bindings on sensitive DOM properties