GHSA-534h-c3cw-v3h9: Anthropic Python local unauth

Q: Is GHSA-534h-c3cw-v3h9 actively exploited?

No confirmed active exploitation of GHSA-534h-c3cw-v3h9 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-534h-c3cw-v3h9?

1. PATCH: Upgrade to nuxt 4.4.7 (v4 series) or 3.21.7 (v3 series) immediately — the fix removes abstract-namespace socket binding entirely and replaces it with a chmod 0600 filesystem socket under the OS temp directory; if the chmod fails, the server refuses to serve. 2. IMMEDIATE WORKAROUND (if patching is blocked): Run nuxt dev inside Docker or any OCI container — vulnerable versions already fall back to filesystem sockets in Docker environments. Alternatively, isolate the dev process with `unshare -U` (rootless user namespace). 3. CREDENTIAL ROTATION: Audit and rotate any AI API keys, database credentials, or SSH private keys stored in .env files on shared Linux hosts running vulnerable nuxt versions. Assume exposure if the host had other tenants during the vulnerable window. 4. DETECTION: On Linux hosts with auditd, add rules for SOCK_CREATE events against abstract-namespace sockets (prefix '\0'); review /proc/net/unix logs or socket audit trails for unexpected connections matching nuxt-vite-node-* patterns. 5. PARTIAL MITIGATION ONLY: Mount /proc with hidepid=2 to restrict /proc/net/unix visibility — does not block exploitation if socket address is already known or guessed.

Q: What systems are affected by GHSA-534h-c3cw-v3h9?

This vulnerability affects the following AI/ML architecture patterns: AI application development environments on shared Linux hosts, Shared CI/CD pipelines running nuxt dev, LLM-powered web application frontends built with Nuxt, RAG application frontends using Nuxt as the UI layer.

Q: What is the CVSS score for GHSA-534h-c3cw-v3h9?

GHSA-534h-c3cw-v3h9 has a CVSS v3.1 base score of 5.5 (MEDIUM).

CISO Take

Nuxt's development server on Linux (Node.js 20+) binds its internal vite-node IPC socket to an abstract-namespace Unix socket that carries no file-permission bits and no authentication whatsoever, allowing any co-resident local user to request arbitrary files — including .env API keys and SSH private keys — through the SSR module-fetch pipeline. With 5,435 downstream package dependents and a CVSS confidentiality impact of HIGH, this is a critical risk on shared CI runners, lab machines, and multi-tenant bastions where AI developers routinely store LLM API credentials in .env files; a single malicious job on a shared runner can drain every concurrent developer's secrets in under a second with no audit trail on the victim side. The fix is straightforward: upgrade to nuxt 4.4.7 (v4) or 3.21.7 (v3); teams blocked from patching should run `nuxt dev` inside Docker, which already triggers the safe filesystem-socket fallback in vulnerable versions, and must rotate any exposed credentials immediately.

Sources: GitHub Advisory ATLAS NVD

What is the risk?

CVSS 5.5 (Medium) reflects the local-only attack vector, but practical risk is HIGH for teams running nuxt dev on shared Linux infrastructure. Exploitation requires only read access to /proc/net/unix — available to all local users by default on most Linux distributions — and zero AI or ML expertise; a competent script-kiddie can automate socket enumeration and file exfiltration in minutes. For AI application development teams storing LLM API keys (OpenAI, Anthropic, Cohere, etc.), vector database connection strings, and model-serving tokens in .env files, a successful exploit yields full credential compromise with no server-side log entry generated. Risk is LOW for single-user laptops, macOS/Windows workstations, and properly container-isolated CI pipelines.

How does the attack unfold?

Socket Enumeration

Attacker reads /proc/net/unix on the shared Linux host to enumerate all abstract-namespace Unix sockets and identify the Nuxt vite-node IPC endpoint matching the pattern nuxt-vite-node-<pid>-<ts>.sock.

AML.T0006

Unauthenticated IPC Access

Attacker connects directly to the abstract-namespace socket — no peer-credential check, no shared secret, and no authentication mechanism blocks the connection.

AML.T0106

Credential File Exfiltration

Attacker sends crafted IPC 'module' requests with moduleId targeting .env files and SSH keys; vite-node's SSR fetchModule() reads and returns file contents verbatim, bypassing Vite's fs.allow deny-list.

AML.T0037

AI Service Compromise

Exfiltrated AI API keys (OpenAI, Anthropic, etc.), database credentials, and SSH private keys are leveraged to access upstream AI inference services, training data, or cloud infrastructure without the victim's knowledge.

AML.T0055

Socket Enumeration

Attacker reads /proc/net/unix on the shared Linux host to enumerate all abstract-namespace Unix sockets and identify the Nuxt vite-node IPC endpoint matching the pattern nuxt-vite-node-<pid>-<ts>.sock.

AML.T0006

Unauthenticated IPC Access

Attacker connects directly to the abstract-namespace socket — no peer-credential check, no shared secret, and no authentication mechanism blocks the connection.

AML.T0106

Credential File Exfiltration

Attacker sends crafted IPC 'module' requests with moduleId targeting .env files and SSH keys; vite-node's SSR fetchModule() reads and returns file contents verbatim, bypassing Vite's fs.allow deny-list.

AML.T0037

AI Service Compromise

Exfiltrated AI API keys (OpenAI, Anthropic, etc.), database credentials, and SSH private keys are leveraged to access upstream AI inference services, training data, or cloud infrastructure without the victim's knowledge.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Anthropic Python	npm	>= 4.0.0, < 4.4.7	`4.4.7`
3.6K 5.4K dependents Pushed 6d ago 91% patched ~2d to patch Full package profile →

Do you use Anthropic Python? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

PATCH

Upgrade to nuxt 4.4.7 (v4 series) or 3.21.7 (v3 series) immediately — the fix removes abstract-namespace socket binding entirely and replaces it with a chmod 0600 filesystem socket under the OS temp directory; if the chmod fails, the server refuses to serve.
IMMEDIATE WORKAROUND (if patching is blocked): Run nuxt dev inside Docker or any OCI container — vulnerable versions already fall back to filesystem sockets in Docker environments. Alternatively, isolate the dev process with unshare -U (rootless user namespace).
CREDENTIAL ROTATION

Audit and rotate any AI API keys, database credentials, or SSH private keys stored in .env files on shared Linux hosts running vulnerable nuxt versions. Assume exposure if the host had other tenants during the vulnerable window.
DETECTION

On Linux hosts with auditd, add rules for SOCK_CREATE events against abstract-namespace sockets (prefix '\0'); review /proc/net/unix logs or socket audit trails for unexpected connections matching nuxt-vite-node-* patterns.
PARTIAL MITIGATION ONLY

Mount /proc with hidepid=2 to restrict /proc/net/unix visibility — does not block exploitation if socket address is already known or guessed.

How is it classified?

Data Extraction Data Leakage Framework API AML.T0006 - Active Scanning AML.T0037 - Data from Local System AML.T0055 - Unsecured Credentials AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.8.2 - AI System Development Security

NIST AI RMF

GOVERN 6.1 - Policies for AI Risk Management in Development

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is GHSA-534h-c3cw-v3h9?

Nuxt's development server on Linux (Node.js 20+) binds its internal vite-node IPC socket to an abstract-namespace Unix socket that carries no file-permission bits and no authentication whatsoever, allowing any co-resident local user to request arbitrary files — including .env API keys and SSH private keys — through the SSR module-fetch pipeline. With 5,435 downstream package dependents and a CVSS confidentiality impact of HIGH, this is a critical risk on shared CI runners, lab machines, and multi-tenant bastions where AI developers routinely store LLM API credentials in .env files; a single malicious job on a shared runner can drain every concurrent developer's secrets in under a second with no audit trail on the victim side. The fix is straightforward: upgrade to nuxt 4.4.7 (v4) or 3.21.7 (v3); teams blocked from patching should run `nuxt dev` inside Docker, which already triggers the safe filesystem-socket fallback in vulnerable versions, and must rotate any exposed credentials immediately.

Is GHSA-534h-c3cw-v3h9 actively exploited?

No confirmed active exploitation of GHSA-534h-c3cw-v3h9 has been reported, but organizations should still patch proactively.

How to fix GHSA-534h-c3cw-v3h9?

1. PATCH: Upgrade to nuxt 4.4.7 (v4 series) or 3.21.7 (v3 series) immediately — the fix removes abstract-namespace socket binding entirely and replaces it with a chmod 0600 filesystem socket under the OS temp directory; if the chmod fails, the server refuses to serve. 2. IMMEDIATE WORKAROUND (if patching is blocked): Run nuxt dev inside Docker or any OCI container — vulnerable versions already fall back to filesystem sockets in Docker environments. Alternatively, isolate the dev process with `unshare -U` (rootless user namespace). 3. CREDENTIAL ROTATION: Audit and rotate any AI API keys, database credentials, or SSH private keys stored in .env files on shared Linux hosts running vulnerable nuxt versions. Assume exposure if the host had other tenants during the vulnerable window. 4. DETECTION: On Linux hosts with auditd, add rules for SOCK_CREATE events against abstract-namespace sockets (prefix '\0'); review /proc/net/unix logs or socket audit trails for unexpected connections matching nuxt-vite-node-* patterns. 5. PARTIAL MITIGATION ONLY: Mount /proc with hidepid=2 to restrict /proc/net/unix visibility — does not block exploitation if socket address is already known or guessed.

What systems are affected by GHSA-534h-c3cw-v3h9?

This vulnerability affects the following AI/ML architecture patterns: AI application development environments on shared Linux hosts, Shared CI/CD pipelines running nuxt dev, LLM-powered web application frontends built with Nuxt, RAG application frontends using Nuxt as the UI layer.

What is the CVSS score for GHSA-534h-c3cw-v3h9?

GHSA-534h-c3cw-v3h9 has a CVSS v3.1 base score of 5.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

AI application development environments on shared Linux hostsShared CI/CD pipelines running nuxt devLLM-powered web application frontends built with NuxtRAG application frontends using Nuxt as the UI layer

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0037 Data from Local System

AML.T0055 Unsecured Credentials

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.8.2

NIST AI RMF: GOVERN 6.1

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

### Impact When running `nuxt dev` on Linux (Node.js 20+, outside Docker / StackBlitz), Nuxt's internal vite-node IPC server binds to a Linux abstract-namespace Unix socket (`\0nuxt-vite-node-<pid>-<ts>.sock`). Abstract sockets have no filesystem inode and therefore no permission bits: any local UID on the host that can read `/proc/net/unix` can enumerate the socket and connect to it. The IPC server does not perform any peer-credential or shared-secret check before dispatching requests. The `module` request type passes its `moduleId` field straight into Vite's SSR `fetchModule()`, which is not gated by Vite's HTTP-layer `server.fs.allow` deny-list. A co-resident unprivileged local user can therefore request paths like `/home/<dev>/project/.env?raw` or `~/.ssh/id_rsa?raw` and read the developer's secrets through the dev server's SSR plugin pipeline. The `resolve` request type additionally enables filesystem probing. This affects developers running `nuxt dev` on shared multi-tenant Linux hosts (lab machines, shared bastions, CI runners shared between jobs without per-job container isolation). It does not affect: - Production builds (`nuxt build` / `nuxt start`). The IPC server only runs in development. - macOS or Windows developers. - Docker / StackBlitz environments, which already fall back to a filesystem socket. - Single-user laptops or per-job containerised CI. ### Patches Fixed in `nuxt@4.4.7` (commit [`1f9f4767`](https://github.com/nuxt/nuxt/commit/1f9f4767a8725104da9bee872bb8d35246f25ae5)) and backported to `nuxt@3.21.7` (commit [`c293bf95`](https://github.com/nuxt/nuxt/commit/c293bf9503ccb3bc9559bff4a1f592f99063c9ea)). The fix removes the abstract-namespace branch entirely. The IPC server now always binds to a filesystem Unix socket under the OS temp directory and explicitly `chmod 0600`s it after `listen()`, restricting connections to the owning UID. If the chmod fails for any reason, the server closes rather than serve requests on an unrestricted channel. ### Workarounds If you cannot upgrade immediately on an affected host: - Run `nuxt dev` inside a container or VM with no other tenants. Docker already triggers the filesystem-socket fallback in vulnerable versions and that fallback is unaffected. - Bind the dev process to a single-user namespace (`unshare -U`, rootless containers). - Restrict `/proc/net/unix` visibility via `hidepid=2` mount options where applicable, though this is partial mitigation only. ### References - Affected file: `packages/vite/src/plugins/vite-node.ts` - CWE-276: Incorrect Default Permissions ### Credit Reported by Anthropic / Claude as part of Anthropic's coordinated vulnerability disclosure programme, reference ANT-2026-MSNKZFAT. Thanks to the Anthropic security team for the report and the detailed reproduction. Independently reported by [@alcls01111](https://github.com/alcls01111) via GitHub's coordinated disclosure flow (`GHSA-5gvc-46gq-948j`), closed as a duplicate of this advisory.

Exploitation Scenario

On a shared CI runner where multiple developer jobs execute concurrently, an attacker's malicious job reads /proc/net/unix to enumerate abstract Unix sockets matching the pattern nuxt-vite-node-<pid>-<ts>.sock belonging to a concurrent legitimate developer job. The attacker connects directly to the socket — no credential or token required — and sends a JSON IPC message with type 'module' and moduleId set to '/home/dev/project/.env?raw'. The vite-node IPC handler passes this path to Vite's SSR fetchModule(), which reads and returns the file contents including OPENAI_API_KEY, ANTHROPIC_API_KEY, DATABASE_URL, and STRIPE_SECRET_KEY. The attacker iterates additional targets — ~/.ssh/id_rsa, ~/.npmrc, ~/.aws/credentials — using the resolve request type to probe the filesystem first. The entire operation completes in under two seconds with zero log entries on the victim developer's side. Exfiltrated AI API keys are then used to run unauthorized LLM inference, exfiltrate training data, or pivot to model-serving infrastructure.

Weaknesses (CWE)

CWE-276 Incorrect Default Permissions Primary

CWE-276 — Incorrect Default Permissions: During installation, installed file permissions are set to allow anyone to modify those files.

[Architecture and Design, Operation] The architecture needs to access and modification attributes for files to only those users who actually require those actions.
[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.