50 matches found
PT-2026-30926
Name of the Vulnerable Software and Affected Versions Vite versions 6.0.0 through 6.4.1, 7.3.2, and 8.0.5 Description The Vite dev server improperly handles .map requests for optimized dependencies. It resolves file paths and calls readFile without restricting '../' segments in the URL, potential...
PT-2026-30868
Name of the Vulnerable Software and Affected Versions Vite versions 7.1.0 through 7.3.1 and 8.0.0 through 8.0.4 Description Vite, a frontend tooling framework for JavaScript, allows retrieval of files blocked by server.fs.deny such as .env and .crt files with HTTP 200 responses when specific quer...
PT-2026-30768
Name of the Vulnerable Software and Affected Versions Vite versions 6.0.0 through 6.4.1, 7.3.2, and 8.0.5 Description Vite, a frontend tooling framework for JavaScript, had a flaw where the server.fs check was not enforced for the fetchModule method exposed in the Vite dev server’s WebSocket. If ...
CVE-2026-29066
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the...
Vite Vitejs Improper Access Control Vulnerability
Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected...
Directory Traversal
Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal via the server.fs.deny function. An attacker can access restricted files by appending a backslash to the URL when the development server is running on...
CVE-2025-62522 vite allows server.fs.deny bypass via backslash on Windows
Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended...
vite allows server.fs.deny bypass via backslash on Windows
Summary Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - running the de...
GHSA-93M4-6634-74Q7 vite allows server.fs.deny bypass via backslash on Windows
Summary Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - running the de...
Improper Access Control
vite is vulnerable to improper access control. The vulnerability is due to files starting with the same name as those in the public directory being served while bypassing the server.fs settings, which allows an attacker to access restricted files when the Vite dev server is exposed to the network...
EUVD-2025-25476
Malicious code in bioql PyPI...
Directory Traversal
vite-plugin-static-copy is vulnerable to Directory Traversal. The vulnerability is due to improper access control because apps exposing the Vite dev server to the network --host or server.host config option allow attackers to retrieve arbitrary files by which an attacker can access arbitrary file...
PT-2025-34242 · Vite · Vite-Plugin-Static-Copy
Name of the Vulnerable Software and Affected Versions: vite-plugin-static-copy versions prior to 2.3.2 vite-plugin-static-copy versions prior to 3.1.2 Description: The vite-plugin-static-copy plugin for Vite allows access to files not included in the src directory through a crafted request. This...
Exploit for CVE-2025-30208
🔥 CVE-2025-30208 Vite Arbitrary File Read Vulnerability Scanne...
GHSA-859W-5945-R5V3 Vite's server.fs.deny bypassed with /. for files under project root
Summary The contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Only files that are under project root and a...
Directory Traversal
Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal through the server.fs.deny configuration due to improper input sanitization. An attacker can bypass server.fs.deny with /. for files under project root...
GHSA-356W-63V5-8WF4 Vite has an `server.fs.deny` bypass with an invalid `request-target`
Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. Impact Only apps with the following conditions are affected. - explicitly exposing the Vite dev server to the network using --host or server.host config option - running the Vite de...
Information Exposure
Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Information Exposure due to the handling of req.url which may contain unexpected characters such as . An attacker can access and retrieve the contents of arbitrary files by...
Vite allows server.fs.deny to be bypassed with .svg or relative paths
Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details .svg Requests ending with .svg are loaded at this line...
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details - base64 encoded content of non-allowed files is exposed using ?inline&import originally...