Bug 2493647 (CVE-2026-54753) - CVE-2026-54753 Nx: Nx: `nx graph` dev server permissive CORS policy
Summary: CVE-2026-54753 Nx: Nx: `nx graph` dev server permissive CORS policy
Keywords:
Status: NEW
Alias: CVE-2026-54753
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-26 19:01 UTC by OSIDB Bzimport
Modified: 2026-07-09 09:04 UTC (History)
12 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-26 19:01:39 UTC
Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer visited read the server's responses cross-origin — including the full project graph and the output of the /help endpoint, which runs a target's configured help command. The practical impact is typically cross-origin information disclosure, but can be arbitrary command injection in rare cases. This vulnerability is fixed in 22.7.2 and 23.0.0-beta.2.


Note You need to log in before you can comment on or make changes to this bug.