20 matches found
Malicious Package
Overview preview-server-auth is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Improper Access Control
Vite is vulnerable to Improper Access Control. The vulnerability is due to the dev and preview servers serving any HTML files on the machine regardless of the server.fs settings, which allows an attacker to access unintended files when the Vite server is exposed to the network, potentially leadin...
EUVD-2025-27180
Malicious code in bioql PyPI...
CVE-2025-58752
A path traversal / static-file serving bypass vulnerability has been identified in Vite’s static file server, where HTML files located outside the configured root or deny/allow lists may be served even when server.fs settings such as deny are used. An attacker can exploit this by requesting HTML...
GHSA-JQFW-VQ24-V9C3 Vite's `server.fs` settings were not applied to HTML files
Summary Any HTML files on the machine were served regardless of the server.fs settings. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - appType: 'spa' default or appType: 'mpa' i...
Vite's `server.fs` settings were not applied to HTML files
Summary Any HTML files on the machine were served regardless of the server.fs settings. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - appType: 'spa' default or appType: 'mpa' i...
Relative Path Traversal
Overview vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Relative Path Traversal via improper enforcement of server.fs settings. An attacker can access arbitrary HTML files on the server by sending crafted requests to the preview server. Note:...
CVE-2025-58752
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or server.host config option and...
CVE-2025-58752
Vite CVE-2025-58752 affects the dev and preview servers when exposed on the network: HTML files on the local machine could be served despite server.fs settings, depending on app exposure and appType configuration. Affected versions are <7.1.5, <7.0.7, <6.3.6, and
CVE-2025-58752 Vite's `server.fs` settings were not applied to HTML files
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or server.host config option and...
CVE-2025-58752 Vite's `server.fs` settings were not applied to HTML files
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or server.host config option and...
CVE-2025-58752 Vite's `server.fs` settings were not applied to HTML files
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or server.host config option and...
MAL-2025-5993 Malicious code in preview-server-auth-poc (npm)
The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 923e18277dc972e221ab7a161e65c18219ff037b3a347b86f86df7f6cba1bcfb The OpenSSF Package Analysis project identified...
Malicious code in preview-server-auth-poc (npm)
The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 923e18277dc972e221ab7a161e65c18219ff037b3a347b86f86df7f6cba1bcfb The OpenSSF Package Analysis project identified...
Malicious code in preview-server-auth-bounty (npm)
The package communicates with a domain associated with malicious activity...
Malicious code in preview-server-auth-test (npm)
The package communicates with a domain associated with malicious activity...
MAL-2025-5821 Malicious code in preview-server-auth-test (npm)
The package communicates with a domain associated with malicious activity...
Malicious code in preview-server-auth (npm)
The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3c061ebafc271130fff7da4c0ba73b6e359b1a785e08a54972432edb83ff6b13 Any computer that has this package installed or running should be considered...
MAL-2025-5820 Malicious code in preview-server-auth (npm)
The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3c061ebafc271130fff7da4c0ba73b6e359b1a785e08a54972432edb83ff6b13 Any computer that has this package installed or running should be considered...
Node.js third-party modules: [zenn-cli] Path traversal on Windows allows the attacker to read arbitrary .md files
Summary I would like to report path traversal in zenn-cli. It allows the attacker to read arbitrary .md files. Module module name: zenn-cli version: 0.1.39 npm page: https://www.npmjs.com/package/zenn-cli Module Description Manage Zenn content locally 👩💻 Module Stats 885 weekly downloads...