nx is vulnerable to Information Disclosure
59
Medium Risk
The local nx graph HTTP server previously set Access-Control-Allow-Origin: * on responses, so a malicious webpage loaded in the developer browser could read project-graph.json and related localhost endpoints while the graph server is running. That exposes workspace project structure, dependencies, and task metadata. From 22.6.0 onward, the Nx daemon also auto-installed nx@latest without verifying npm provenance attestations, weakening protection against tampered registry packages on that path. Version 22.7.2 removes the wildcard CORS header and requires provenance before pulling nx@latest.
You are affected if you are using a version that falls within the vulnerable range.
nx is vulnerable to Information Disclosure in versions 18.0.0 - 22.7.1.
Upgrade the nx library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant