63 matches found
CVE-2025-58752
A path traversal / static-file serving bypass vulnerability has been identified in Vite’s static file server, where HTML files located outside the configured root or deny/allow lists may be served even when server.fs settings such as deny are used. An attacker can exploit this by requesting HTML...
GHSA-JQFW-VQ24-V9C3 Vite's `server.fs` settings were not applied to HTML files
Summary Any HTML files on the machine were served regardless of the server.fs settings. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - appType: 'spa' default or appType: 'mpa' i...
CVE-2025-58752 Vite's `server.fs` settings were not applied to HTML files
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or server.host config option and...
CVE-2025-58752
Vite CVE-2025-58752 affects the dev and preview servers when exposed on the network: HTML files on the local machine could be served despite server.fs settings, depending on app exposure and appType configuration. Affected versions are <7.1.5, <7.0.7, <6.3.6, and
CVE-2025-58752 Vite's `server.fs` settings were not applied to HTML files
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or server.host config option and...
CVE-2025-58752 Vite's `server.fs` settings were not applied to HTML files
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or server.host config option and...
CVE-2025-58751 Vite middleware may serve files starting with the same name with the public directory
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or...
CVE-2025-57753
vite-plugin-static-copy is rollup-plugin-copy for Vite with dev server support. Files not included in src are accessible with a crafted request. The vulnerability is fixed in 2.3.2 and 3.1.2...
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Summary Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to host...
Remote Code Execution
wrangler is vulnerable to Remote Code Execution. The vulnerability is caused due to V8 inspector intentionally allowing arbitrary code execution within Workers sandbox for debugging purpose. The wrangler dev server starts an inspector listening on all network interfaces. This allows an attacker t...
PT-2023-32865 · Wrangler · Wrangler
Name of the Vulnerable Software and Affected Versions: wrangler versions prior to 3.19.0 wrangler versions prior to 2.20.2 Description: The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server...
Design/Logic Flaw
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transforme...
CVE-2023-49293 Cross-site Scripting in `server.transformIndexHtml` via URL payload in vite
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transforme...
Arbitrary File Read
vite is vulnerable to Arbitrary File Read. The vulnerability exists due to improper file path sanitization, allowing an attacker to access files from the root path. Note this vulnerability is only applicable if the vite dev server is hosted on the network...
GHSA-GC34-5V43-H7V8 nuxt Code Injection vulnerability
he Nuxt dev server between versions 3.4.0 and 3.4.3 is vulnerable to code injection when it is exposed publicly...
PT-2023-23680 · Nuxt · Nuxt
Name of the Vulnerable Software and Affected Versions: nuxt versions prior to 3.5.3 nuxt versions 3.4.0 through 3.4.3 Description: The issue concerns code injection in the Nuxt dev server. When the dev server is exposed publicly, it is vulnerable to code injection. This affects versions of nuxt...
Design/Logic Flaw
Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options server.fs.deny can be bypassed using double forward-slash // allows any unauthenticated user to read file from the Vite root-path of the application including the default fs.deny...
(Almost) Arbitary File Read on Development Server
Description I previously disclosed an arbitrary file read due to Vite misconfiguration. This is a similar vulnerability with less impact. Proof of Concept Start any nuxt app in dev. Browse to: + http://localhost:3000/\nuxtvitenode\/module/C:/Windows/System32/calc.exe +...
CVE-2022-0343
CVE-2022-0343 affects Perfetto Dev scripts. A local attacker who can run the dev server (./tools/run-dev-server) may trigger HTTP requests to 127.0.0.1:10000, enabling a local privilege/escalation scenario. The issue is tied to the dev-server workflow rather than a remote vector. Remediation: upg...
PYSEC-2021-878
The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601. and https://github.com/nisdn/CVE-2021-40978/issues/1...