8 matches found
NPM: vite: `server.fs.deny` bypass on Windows alternate paths
NPM: vite: server.fs.deny bypass on Windows alternate paths vulnerability discovered by ? in WordPress Npm vite versions = 6.4.2...
CVE-2026-39364
CVE-2026-39364 affects the Vite dev server. Vulnerable versions include Vite 7.1.0 through 7.3.1 and 8.0.0 through 8.0.4; on those, files that should be blocked by server.fs.deny (e.g., .env, *.crt) could be retrieved via HTTP 200 when requesting with certain query params (?raw, ?import&raw, or ?...
CVE-2025-62522 vite allows server.fs.deny bypass via backslash on Windows
Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended...
GHSA-93M4-6634-74Q7 vite allows server.fs.deny bypass via backslash on Windows
Summary Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - running the de...
GHSA-356W-63V5-8WF4 Vite has an `server.fs.deny` bypass with an invalid `request-target`
Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. Impact Only apps with the following conditions are affected. - explicitly exposing the Vite dev server to the network using --host or server.host config option - running the Vite de...
CVE-2025-31486
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than...
GHSA-8JHW-289H-JH2G Vite's `server.fs.deny` did not deny requests for patterns with directories.
Summary Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo//. Impact Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network using...
PT-2024-19813 · Vite · Vite
Name of the Vulnerable Software and Affected Versions: Vite versions prior to 2.9.17 Vite versions prior to 3.2.8 Vite versions prior to 4.5.2 Vite versions prior to 5.0.12 Description: The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented...