295 matches found
GHSA-356W-63V5-8WF4 Vite has an `server.fs.deny` bypass with an invalid `request-target`
Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. Impact Only apps with the following conditions are affected. - explicitly exposing the Vite dev server to the network using --host or server.host config option - running the Vite de...
Information Exposure
Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Information Exposure due to the handling of req.url which may contain unexpected characters such as . An attacker can access and retrieve the contents of arbitrary files by...
Vite allows server.fs.deny to be bypassed with .svg or relative paths
Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details .svg Requests ending with .svg are loaded at this line...
GHSA-XCJ6-PQ6G-QJ4X Vite allows server.fs.deny to be bypassed with .svg or relative paths
Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details .svg Requests ending with .svg are loaded at this line...
Incorrect Authorization
Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Incorrect Authorization via the bypass of the server.fs.deny restriction. An attacker can access restricted files by appending ?.svg with ?.wasm?init or with sec-fetch-dest...
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details - base64 encoded content of non-allowed files is exposed using ?inline&import originally...
GHSA-4R4M-QW57-CHR8 Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details - base64 encoded content of non-allowed files is exposed using ?inline&import originally...
Exploit for CVE-2025-30208
CVE-2025-30208-LFI !IMPORTANT Disclaimer This exploit...
Exploit for CVE-2025-30208
中文 | English Vite Dev Server Vulnerability...
GHSA-X574-M823-4X7W Vite bypasses server.fs.deny when using ?raw??
Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or...
Linux Distros Unpatched Vulnerability : CVE-2021-40978
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the...
CVE-2025-24361 Opening a malicious website while running a Nuxt dev server could allow read-only access to code
Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script b...
GHSA-VG6X-RCGG-RJX6 Websites were able to send any requests to the development server and read the response in vite
Summary Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. !WARNING This vulnerability even applies to users that only run the Vite dev server on the loc...
GHSA-8JHW-289H-JH2G Vite's `server.fs.deny` did not deny requests for patterns with directories.
Summary Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo//. Impact Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network using...
CVE-2023-25341
A Directory Traversal vulnerability in ladle dev server 2.5.1 and earlier allows an attacker on the same network to read files accessible to the user via GET requests...
CVE-2023-25341
A Directory Traversal vulnerability in ladle dev server 2.5.1 and earlier allows an attacker on the same network to read files accessible to the user via GET requests...
CVE-2023-25341
The CVE describes a Directory Traversal in Ladle Dev Server (versions 2.5.1 and earlier) that allows an attacker on the same network to read files accessible to the user via GET requests. Red Hat, NVD, CNNVD, and related enrichments corroborate the same impact. No exploit details are provided in ...
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Summary Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to host...
GHSA-C24V-8RFC-W8VW Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Summary Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to host...
CVE-2024-23331 Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area...