GHSA-3H52-269P-CP9R Information exposure in Next.js dev server due to lack of origin verification

Summary A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a...

CVE-2023-3348

The Wrangler command line tool [email protected] or [email protected] was affected by a directory traversal vulnerability when running a local development server for Pages wrangler pages dev command. This vulnerability enabled an attacker in the same network as the victim to connect to the local...

CVE-2023-34238

Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the file-code-frame and original-stack-frame paths, exposed when running the Gatsby develop server gatsby develop. Any file in scope o...

CVE-2021-20146

An unprotected ssh private key exists on the Gryphon devices which could be used to achieve root access to a server affiliated with Gryphon's development and infrastructure. At the time of discovery, the ssh key could be used to login to the development server hosted in Amazon Web Services...

CVE-2025-46565

Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network usi...

Vite has an `server.fs.deny` bypass with an invalid `request-target`

Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. Impact Only apps with the following conditions are affected. - explicitly exposing the Vite dev server to the network using --host or server.host config option - running the Vite de...

Unauthorized File Exposure

Vite is vulnerable to Unauthorized File Exposure. The vulnerability is due to improper exposure of non-allowed files through the ?inline or ?raw?import methods when the Vite dev server is explicitly exposed to the network using --host or the server.host config option, allows unauthorized access t...

Exploit for CVE-2025-30208

CVE-2025-30208 - Vite Arbitrary File Read PoC This is a Proof...

PT-2025-14786

Name of the Vulnerable Software and Affected Versions Vite versions 6.0.0 through 6.0.13 Vite versions 6.1.0 through 6.1.3 Vite versions 6.2.0 through 6.2.4 Vite version 4.5.11 and earlier Vite version 5.4.16 and earlier Description The issue allows the contents of arbitrary files to be returned ...

Exploit for CVE-2025-30208

ViteVulScan Vulnerabilities Overview This project involves...

Exploit for CVE-2025-30208

ViteVulScan Vulnerabilities Overview This project involves...

Exploit for CVE-2025-30208

ViteVulScan Vulnerabilities Overview This project involves...

Access control error vulnerability exists in Vite (CNVD-2025-05817)

Vite is Vite open source a new front-end building tools . Vite has an access control error vulnerability that can be exploited by an attacker to bypass the development server's protection mechanism and illegally access sensitive files outside the project root directory...

Vite 访问控制错误漏洞

Vite is Vite open source a new front-end building tools . Vite has an access control error vulnerability that can be exploited by an attacker to bypass the development server's protection mechanism and illegally access sensitive files outside the project root directory...

PT-2025-12667

Name of the Vulnerable Software and Affected Versions: Vite versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. Description: Vite is susceptible to a file access bypass vulnerability. When the development server is exposed to the network using the --host or server.host configuration optio...

esbuild enables any website to send any requests to the development server and read the response

Summary esbuild allows any websites to send any request to the development server and read the response due to default CORS settings. Details esbuild sets Access-Control-Allow-Origin: header to all requests, including the SSE connection, which allows any websites to send any request to the...

PT-2025-6214 · Esbuild · Esbuild

Name of the Vulnerable Software and Affected Versions: esbuild affected versions not specified Description: The issue allows any website to send requests to the development server and read the response due to default CORS settings. This is because esbuild sets the Access-Control-Allow-Origin:...

GHSA-2452-6XJ8-JH47 Opening a malicious website while running a Nuxt dev server could allow read-only access to code

Summary Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Details While Vite patched the default CORS settings to fix https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6, nuxt uses its own CORS handler by...

Opening a malicious website while running a Nuxt dev server could allow read-only access to code

Summary Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Details While Vite patched the default CORS settings to fix https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6, nuxt uses its own CORS handler by...

CVE-2025-24360 Opening a malicious website while running a Nuxt dev server could allow read-only access to code

Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Users with the default server.cors option using Vite...