CVE-2025-32395 Vite has an `server.fs.deny` bypass with an invalid `request-target`

Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec RFC 9112 does not allow in request-target. Although an attacker can sen...

PT-2025-15989 · Vite · Vite

Name of the Vulnerable Software and Affected Versions: Vite versions prior to 6.2.6 Vite versions prior to 6.1.5 Vite versions prior to 6.0.15 Vite versions prior to 5.4.18 Vite versions prior to 4.5.13 Description: Vite is a frontend tooling framework for javascript. The contents of arbitrary...