Linux Distros Unpatched Vulnerability : CVE-2025-30360

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source...

Linux Distros Unpatched Vulnerability : CVE-2025-30359

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source...

CVE-2025-58752

A path traversal / static-file serving bypass vulnerability has been identified in Vite’s static file server, where HTML files located outside the configured root or deny/allow lists may be served even when server.fs settings such as deny are used. An attacker can exploit this by requesting HTML...

GHSA-JQFW-VQ24-V9C3 Vite's `server.fs` settings were not applied to HTML files

Summary Any HTML files on the machine were served regardless of the server.fs settings. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - appType: 'spa' default or appType: 'mpa' i...

CVE-2025-58751

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or...

CVE-2025-58752 Vite's `server.fs` settings were not applied to HTML files

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or server.host config option and...

CVE-2025-58752 Vite's `server.fs` settings were not applied to HTML files

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or server.host config option and...

CVE-2025-58752

Vite CVE-2025-58752 affects the dev and preview servers when exposed on the network: HTML files on the local machine could be served despite server.fs settings, depending on app exposure and appType configuration. Affected versions are <7.1.5, <7.0.7, <6.3.6, and

CVE-2025-58752 Vite's `server.fs` settings were not applied to HTML files

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or server.host config option and...

CVE-2025-58751 Vite middleware may serve files starting with the same name with the public directory

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or...

CVE-2025-58751

CVE-2025-58751 involves a path traversal issue in Vite Dev Server. The vulnerability affects apps that explicitly expose the Vite dev server to the network (using --host or server.host) and have the public directory feature enabled (default) with a symlink inside the public directory. In versions...

PT-2025-36529

Name of the Vulnerable Software and Affected Versions: Vite versions prior to 7.1.5 Vite versions prior to 7.0.7 Vite versions prior to 6.3.6 Vite versions prior to 5.4.20 Description: Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML...

PT-2025-36528

Name of the Vulnerable Software and Affected Versions: Vite versions prior to 7.1.5 Vite versions prior to 7.0.7 Vite versions prior to 6.3.6 Vite versions prior to 5.4.20 Description: Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files...

webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser

...

webpack-dev-server users' source code may be stolen when they access a malicious web site

...

Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant IDE Extensions

Summary Multiple vulnerabilities were addressed in IBM watsonx Code Assistant IDE Extensions VS code - V1.8.2, Eclipse IDE - 1.4.1 Vulnerability Details CVEID:CVE-2025-31125 DESCRIPTION: Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using...

CVE-2025-57753

vite-plugin-static-copy is rollup-plugin-copy for Vite with dev server support. Files not included in src are accessible with a crafted request. The vulnerability is fixed in 2.3.2 and 3.1.2...

Directory Traversal

Overview vite-plugin-static-copy is a rollup-plugin-copy for vite with dev server support. Affected versions of this package are vulnerable to Directory Traversal via the viaLocal function. An attacker can access arbitrary files on the server by sending crafted HTTP requests that exploit path...

vite-plugin-static-copy files not included in `src` are possible to access with a crafted request

Summary Files not included in src was possible to access with a crafted request. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Arbitrary files can be disclosed by exploiting this vulnerability. Details Consider the...

GHSA-PP7P-Q8FX-2968 vite-plugin-static-copy files not included in `src` are possible to access with a crafted request

Summary Files not included in src was possible to access with a crafted request. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Arbitrary files can be disclosed by exploiting this vulnerability. Details Consider the...