12 matches found
Security Bulletin: IBM Maximo Application Suite - Manage Component uses vite-5.4.12.tgz which is vulnerable to CVE-2025-31486
Summary Security Bulletin: IBM Maximo Application Suite - Manage Component uses vite-5.4.12.tgz which is vulnerable to CVE-2025-31486. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-31486 DESCRIPTION: Vite is a frontend tooling...
Security Bulletin: Multiple security vulnerabilities in Vite affect IBM Robotic Process Automation (CVE-2025-31125, CVE-2025-32395, CVE-2025-31486).
Summary Multiple security vulnerabilities in Vite affect IBM Robotic Process Automation CVE-2025-31125, CVE-2025-32395, CVE-2025-31486. Vite is used by IBM Robotic Process Automation as part of the UI framework. This bulletin identifies the fixes required to address these vulnerabilities...
Exploit for CVE-2025-31486
CVE-2025-31486-PoC.py url !imagehttps://github.co...
CVE-2025-31486 vulnerabilities
Vulnerabilities for packages: vitess, langfuse-fips, langfuse...
Exploit for CVE-2025-31486
Disclaimer: The vulnerabilities described in this article, a...
CVE-2025-31486
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than...
@angular/build (>=19.2.0 <=19.2.0-rc.0), @d-zero/builder (=5.0.0-alpha.39) +38 more potentially affected by CVE-2025-31486 via vite (>=6.1.0 <=6.1.3)
vite NPM version =6.1.0, =19.2.0, =1.0.7, =2.12.0, =2.12.0, =11.24.0, =0.0.1739797164641, =1.0.0, =0.0.0-experimental-989cf02-20250217-d62ba1cb, =0.0.0-experimental-80aadca-20250205-e2641483, =0.0.0-snapshot-1e670bae5105bde781e82aa2a8ee4f2dfc2446f0,...
@andrewzagorski/admin (>=4.25.19-patch.2 <=4.25.19-patch.3), @andrewzagorski/pack-up (=4.23.1-prerelease.2) +21 more potentially affected by CVE-2025-31486 via vite (>=6.0.0 <=6.0.11)
vite NPM version =6.0.0, =4.25.19-patch.2, =19.1.5, =5.0.0-alpha.37, =2.11.0, =2.11.0, =11.23.0, =0.0.0-experimental-13bd4c2-20250203-4e3af844, =0.0.0-snapshot-1d99fea7d2ce2c7a5d9ed0a3752f8a7bda6bc3db, =0.0.0-snapshot-1d99fea7d2ce2c7a5d9ed0a3752f8a7bda6bc3db, =1.0.6, =1.0.7 - @tuax/plugin-vite6...
@aicblock/cli (>=1.0.0 <=1.0.1), @angular/build (>=19.2.1 <=20.0.0-next.4) +39 more potentially affected by CVE-2025-31486 via vite (>=6.2.0 <=6.2.4)
vite NPM version =6.2.0, =1.0.0, =19.2.1, =0.55.0, =0.21.2-4.1, =1.0.0, =1.0.410, =3.8.0, =1.47.0, =5.0.0-alpha.40, =1.0.0-next.1, =3.0.0, =3.0.0-BETA.1 and more Source cves: CVE-2025-31486 Source advisory: OSV:GHSA-XCJ6-PQ6G-QJ4X...
CVE-2025-31486
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than...
CVE-2025-31486
Vite is affected by a local-fileāread bypass in the dev server when it is exposed to the network (e.g., started with --host or server.host). The flaw lets an attacker retrieve contents of arbitrary files smaller than build.assetsInlineLimit (default 4 kB) by crafting URLs using the ?.svg suffix a...
CVE-2025-31486 Vite allows server.fs.deny to be bypassed with .svg or relative paths
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than...