168 matches found
CVE-2025-59427
The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as...
CVE-2025-59427
The Cloudflare Vite plugin is vulnerable when used in its default configuration, exposing all files on the local dev server (including root files like .env and .dev.vars) via the Workers runtime integration. Affected: Cloudflare Vite plugin within the Cloudflare Workers SDK. Root cause: default d...
CVE-2025-59427 Cloudflare vite plugin exposes secrets over the built-in dev server
The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as...
CVE-2025-59427 Cloudflare vite plugin exposes secrets over the built-in dev server
The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as...
Directory Traversal
vite-plugin-static-copy is vulnerable to Directory Traversal. The vulnerability is due to improper access control because apps exposing the Vite dev server to the network --host or server.host config option allow attackers to retrieve arbitrary files by which an attacker can access arbitrary file...
MAL-2025-47107 Malicious code in vite-plugin-uni-i18n (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1ff6cfac329bcb3bc726e87d12942ec29cd686c4d4e81223398ed26948b46e39 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-47106 Malicious code in vite-plugin-morgan (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 26f59edc4a049e09b7c58781c9ec1b0e28038561905195af89d655fedcd5b14a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious Package
Overview vite-plugin-morgan is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious code in vite-plugin-uni-i18n (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1ff6cfac329bcb3bc726e87d12942ec29cd686c4d4e81223398ed26948b46e39 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in vite-plugin-morgan (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 26f59edc4a049e09b7c58781c9ec1b0e28038561905195af89d655fedcd5b14a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2025-57753
vite-plugin-static-copy is rollup-plugin-copy for Vite with dev server support. Files not included in src are accessible with a crafted request. The vulnerability is fixed in 2.3.2 and 3.1.2...
CVE-2025-57753 vite-plugin-static-copy files not included in `src` are accessible with a crafted request
vite-plugin-static-copy is rollup-plugin-copy for Vite with dev server support. Files not included in src are accessible with a crafted request. The vulnerability is fixed in 2.3.2 and 3.1.2...
CVE-2025-57753 vite-plugin-static-copy files not included in `src` are accessible with a crafted request
vite-plugin-static-copy is rollup-plugin-copy for Vite with dev server support. Files not included in src are accessible with a crafted request. The vulnerability is fixed in 2.3.2 and 3.1.2...
CVE-2025-57753
The CVE-2025-57753 vulnerability affects vite-plugin-static-copy (a Rollup plugin for Vite). Affected versions allow a crafted HTTP request to access files not included in src when the Vite dev server is exposed to the network. Impact is information disclosure of files outside the intended direct...
CVE-2025-57753 vite-plugin-static-copy files not included in `src` are accessible with a crafted request
vite-plugin-static-copy is rollup-plugin-copy for Vite with dev server support. Files not included in src are accessible with a crafted request. The vulnerability is fixed in 2.3.2 and 3.1.2...
@hpcc-js/esbuild-plugins (>=1.4.2 <=1.4.9), @yangzw/bruce-app (>=1.3.7 <=1.3.8) +1 more potentially affected by CVE-2025-57753 via vite-plugin-static-copy (>=3.0.0 <=3.1.1)
vite-plugin-static-copy NPM version =3.0.0, =1.4.2, =1.3.7, =1.3.8 - auto-reveal =0.7.0 Source cves: CVE-2025-57753 Source advisory: SNYK:JS-VITEPLUGINSTATICCOPY-12179280...
@hpcc-js/esbuild-plugins (>=1.4.2 <=1.4.9), @yangzw/bruce-app (>=1.3.7 <=1.3.8) +1 more potentially affected by CVE-2025-57753 via vite-plugin-static-copy (>=3.0.0 <=3.1.1)
vite-plugin-static-copy NPM version =3.0.0, =1.4.2, =1.3.7, =1.3.8 - auto-reveal =0.7.0 Source cves: CVE-2025-57753 Source advisory: OSV:GHSA-PP7P-Q8FX-2968...
@apiida/vue-components (>=16.5.0 <=18.0.2), @axirs/storybook-template (>=1.0.0-beta-v2.0.0 <=1.0.0-beta-v2.1.2) +114 more potentially affected by CVE-2025-57753 via vite-plugin-static-copy (>=0.6.1 <=2.3.1)
vite-plugin-static-copy NPM version =0.6.1, =16.5.0, =1.0.0-beta-v2.0.0, =0.4.3, =1.0.4, =1.1.0, =0.20.1, =0.5.0, =0.0.1, =0.0.3, =0.3.0, =0.1.0, =0.2.21, =0.4.1 and more Source cves: CVE-2025-57753 Source advisory: SNYK:JS-VITEPLUGINSTATICCOPY-12179280...
Directory Traversal
Overview vite-plugin-static-copy is a rollup-plugin-copy for vite with dev server support. Affected versions of this package are vulnerable to Directory Traversal via the viaLocal function. An attacker can access arbitrary files on the server by sending crafted HTTP requests that exploit path...
vite-plugin-static-copy files not included in `src` are possible to access with a crafted request
Summary Files not included in src was possible to access with a crafted request. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Arbitrary files can be disclosed by exploiting this vulnerability. Details Consider the...