Hi — flagging a likely missing backport on the v1 branch.
CVE-2025-52662 was fixed by 7cadbbe9 on the default branch ("using textContent instead of innerHTML for auth page"). The patch swaps an innerHTML write to textContent inside packages/devtools/src/runtime/auth/index.html, eliminating a DOM-XSS sink fed by the Bearer query parameter.
A few facts that suggest the fix did not reach v1:
compare v1...7cadbbe9 → ahead_by=125, behind_by=0 (i.e. v1 strictly lacks the fix path)packages/devtools/src/runtime/auth/index.html exists on v1 and still contains innerHTML-based assignment (the pre-patch shape)- No prior issue/PR references CVE-2025-52662 in this repo
- Last commit on
v1 is 2025-01-02, so the branch is not totally inactive
If v1 is still considered a maintained line for users on the older Nuxt-DevTools major, a one-commit cherry-pick of 7cadbbe9 onto v1 would close the gap. The patch is a single small file edit and should not collide with anything else.
Happy to open the cherry-pick PR if it would help. If v1 is end-of-life and users should upgrade, that's also a clear answer — please close in that case so I don't re-surface it.
Thanks for maintaining devtools!
Hi — flagging a likely missing backport on the
v1branch.CVE-2025-52662 was fixed by
7cadbbe9on the default branch ("usingtextContentinstead ofinnerHTMLfor auth page"). The patch swaps aninnerHTMLwrite totextContentinsidepackages/devtools/src/runtime/auth/index.html, eliminating a DOM-XSS sink fed by theBearerquery parameter.A few facts that suggest the fix did not reach
v1:compare v1...7cadbbe9→ ahead_by=125, behind_by=0 (i.e.v1strictly lacks the fix path)packages/devtools/src/runtime/auth/index.htmlexists onv1and still containsinnerHTML-based assignment (the pre-patch shape)v1is 2025-01-02, so the branch is not totally inactiveIf
v1is still considered a maintained line for users on the older Nuxt-DevTools major, a one-commit cherry-pick of7cadbbe9ontov1would close the gap. The patch is a single small file edit and should not collide with anything else.Happy to open the cherry-pick PR if it would help. If
v1is end-of-life and users should upgrade, that's also a clear answer — please close in that case so I don't re-surface it.Thanks for maintaining devtools!