Lucene search
K

8 matches found

Patchstack
Patchstack
added 2026/06/15 5:17 p.m.6 views

NPM: vite: `server.fs.deny` bypass on Windows alternate paths

NPM: vite: server.fs.deny bypass on Windows alternate paths vulnerability discovered by ? in WordPress Npm vite versions = 6.4.2...

8.2CVSS5.8AI score0.00393EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/04/07 7:12 p.m.25 views

CVE-2026-39364

CVE-2026-39364 affects the Vite dev server. Vulnerable versions include Vite 7.1.0 through 7.3.1 and 8.0.0 through 8.0.4; on those, files that should be blocked by server.fs.deny (e.g., .env, *.crt) could be retrieved via HTTP 200 when requesting with certain query params (?raw, ?import&raw, or ?...

8.2CVSS5.9AI score0.02095EPSS
Exploits1References5Affected Software2
OSV
OSV
added 2025/10/20 7:57 p.m.4 views

CVE-2025-62522 vite allows server.fs.deny bypass via backslash on Windows

Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended...

6CVSS6.8AI score0.01031EPSS
Exploits0References4
OSV
OSV
added 2025/10/20 7:54 p.m.4 views

GHSA-93M4-6634-74Q7 vite allows server.fs.deny bypass via backslash on Windows

Summary Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - running the de...

6CVSS6.8AI score0.01031EPSS
Exploits0References4
OSV
OSV
added 2025/04/11 2:6 p.m.3 views

GHSA-356W-63V5-8WF4 Vite has an `server.fs.deny` bypass with an invalid `request-target`

Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. Impact Only apps with the following conditions are affected. - explicitly exposing the Vite dev server to the network using --host or server.host config option - running the Vite de...

6CVSS6.7AI score0.01736EPSS
Exploits2References4
RedhatCVE
RedhatCVE
added 2025/04/05 6:35 p.m.49 views

CVE-2025-31486

Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than...

5.3CVSS7.2AI score0.38685EPSS
Exploits7References6
OSV
OSV
added 2024/04/03 4:46 p.m.4 views

GHSA-8JHW-289H-JH2G Vite's `server.fs.deny` did not deny requests for patterns with directories.

Summary Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo//. Impact Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network using...

5.9CVSS5.8AI score0.00711EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2024/01/19 12:0 a.m.7 views

PT-2024-19813 · Vite · Vite

Name of the Vulnerable Software and Affected Versions: Vite versions prior to 2.9.17 Vite versions prior to 3.2.8 Vite versions prior to 4.5.2 Vite versions prior to 5.0.12 Description: The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented...

10CVSS6.8AI score0.03152EPSS
Exploits10References43
Rows per page
Query Builder