CVE Catalog

CVE-2026-54753

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.81%

52th percentile — higher than 52% of all known CVEs

Summary

A vulnerability in Nx (versions 17.0.4 through 22.7.2 and 23.0.0-beta.2) occurs because the local HTTP server started by `nx graph` sets the `Access-Control-Allow-Origin: *` header on every response. This allows any website visited by a developer to read the server's responses cross-origin, including the full project graph and the output of the `/help` endpoint, which runs a target's configured help command.

Risk Assessment

The primary risk is cross-origin information disclosure, and in rare cases, arbitrary command injection on the developer's machine.

Recommendation

Immediately update Nx to version 22.7.2 or later (or 23.0.0-beta.2) which fixes this vulnerability. If updating is not possible, avoid running `nx graph` while browsing untrusted websites.

Original NVD description (English source)

Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer visited read the server's responses cross-origin — including the full project graph and the output of the /help endpoint, which runs a target's configured help command. The practical impact is typically cross-origin information disclosure, but can be arbitrary command injection in rare cases. This vulnerability is fixed in 22.7.2 and 23.0.0-beta.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS