50 matches found
GHSA-4R4M-QW57-CHR8 Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details - base64 encoded content of non-allowed files is exposed using ?inline&import originally...
Exploit for CVE-2025-30208
CVE-2025-30208-LFI !IMPORTANT Disclaimer This exploit...
Exploit for CVE-2025-30208
中文 | English Vite Dev Server Vulnerability...
GHSA-X574-M823-4X7W Vite bypasses server.fs.deny when using ?raw??
Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or...
GHSA-VG6X-RCGG-RJX6 Websites were able to send any requests to the development server and read the response in vite
Summary Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. !WARNING This vulnerability even applies to users that only run the Vite dev server on the loc...
GHSA-8JHW-289H-JH2G Vite's `server.fs.deny` did not deny requests for patterns with directories.
Summary Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo//. Impact Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network using...
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Summary Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to host...
GHSA-C24V-8RFC-W8VW Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Summary Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to host...
CVE-2024-23331 Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area...
Vite XSS vulnerability in `server.transformIndexHtml` via URL payload
Summary When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transformed output by supplying a...