290 matches found
GHSA-4R4M-QW57-CHR8 Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details - base64 encoded content of non-allowed files is exposed using ?inline&import originally...
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details - base64 encoded content of non-allowed files is exposed using ?inline&import originally...
Exploit for CVE-2025-30208
CVE-2025-30208-LFI !IMPORTANT Disclaimer This exploit...
Exploit for CVE-2025-30208
中文 | English Vite Dev Server Vulnerability...
GHSA-X574-M823-4X7W Vite bypasses server.fs.deny when using ?raw??
Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or...
Linux Distros Unpatched Vulnerability : CVE-2021-40978
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the...
CVE-2025-24361 Opening a malicious website while running a Nuxt dev server could allow read-only access to code
Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script b...
GHSA-VG6X-RCGG-RJX6 Websites were able to send any requests to the development server and read the response in vite
Summary Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. !WARNING This vulnerability even applies to users that only run the Vite dev server on the loc...
GHSA-8JHW-289H-JH2G Vite's `server.fs.deny` did not deny requests for patterns with directories.
Summary Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo//. Impact Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network using...
CVE-2023-25341
A Directory Traversal vulnerability in ladle dev server 2.5.1 and earlier allows an attacker on the same network to read files accessible to the user via GET requests...
CVE-2023-25341
A Directory Traversal vulnerability in ladle dev server 2.5.1 and earlier allows an attacker on the same network to read files accessible to the user via GET requests...
CVE-2023-25341
The CVE describes a Directory Traversal in Ladle Dev Server (versions 2.5.1 and earlier) that allows an attacker on the same network to read files accessible to the user via GET requests. Red Hat, NVD, CNNVD, and related enrichments corroborate the same impact. No exploit details are provided in ...
GHSA-C24V-8RFC-W8VW Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Summary Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to host...
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Summary Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to host...
CVE-2024-23331 Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area...
Remote Code Execution
wrangler is vulnerable to Remote Code Execution. The vulnerability is caused due to V8 inspector intentionally allowing arbitrary code execution within Workers sandbox for debugging purpose. The wrangler dev server starts an inspector listening on all network interfaces. This allows an attacker t...
CVE-2023-7079
Sending specially crafted HTTP requests and inspector messages to Wrangler's dev server could result in any file on the user's computer being accessible over the local network. An attacker that could trick any user on the local network into opening a malicious website could also read any file...
CVE-2023-7079
Sending specially crafted HTTP requests and inspector messages to Wrangler's dev server could result in any file on the user's computer being accessible over the local network. An attacker that could trick any user on the local network into opening a malicious website could also read any file...
CVE-2023-7079 Arbitrary remote file read in Wrangler dev server
Sending specially crafted HTTP requests and inspector messages to Wrangler's dev server could result in any file on the user's computer being accessible over the local network. An attacker that could trick any user on the local network into opening a malicious website could also read any file...
PT-2023-32865 · Wrangler · Wrangler
Name of the Vulnerable Software and Affected Versions: wrangler versions prior to 3.19.0 wrangler versions prior to 2.20.2 Description: The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server...