Lucene search
K

50 matches found

OSV
OSV
added 2025/03/31 5:31 p.m.2 views

GHSA-4R4M-QW57-CHR8 Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details - base64 encoded content of non-allowed files is exposed using ?inline&import originally...

5.3CVSS6.7AI score0.58765EPSS
Exploits9References5
GithubExploit
GithubExploit
added 2025/03/27 12:36 p.m.347 views

Exploit for CVE-2025-30208

CVE-2025-30208-LFI !IMPORTANT Disclaimer This exploit...

5.3CVSS5.9AI score0.74998EPSS
Exploits28
GithubExploit
GithubExploit
added 2025/03/26 10:26 a.m.527 views

Exploit for CVE-2025-30208

中文 | English Vite Dev Server Vulnerability...

6CVSS6.9AI score0.74998EPSS
Exploits33
OSV
OSV
added 2025/03/25 2:0 p.m.3 views

GHSA-X574-M823-4X7W Vite bypasses server.fs.deny when using ?raw??

Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or...

5.3CVSS5.9AI score0.74998EPSS
Exploits28References8
OSV
OSV
added 2025/01/21 7:52 p.m.7 views

GHSA-VG6X-RCGG-RJX6 Websites were able to send any requests to the development server and read the response in vite

Summary Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. !WARNING This vulnerability even applies to users that only run the Vite dev server on the loc...

6.5CVSS6AI score0.00529EPSS
Exploits1References3
OSV
OSV
added 2024/04/03 4:46 p.m.4 views

GHSA-8JHW-289H-JH2G Vite's `server.fs.deny` did not deny requests for patterns with directories.

Summary Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo//. Impact Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network using...

5.9CVSS5.8AI score0.00711EPSS
Exploits0References9
Github Security Blog
Github Security Blog
added 2024/01/19 9:58 p.m.146 views

Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Summary Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to host...

7.5CVSS7AI score0.00791EPSS
Exploits1References9Affected Software1
OSV
OSV
added 2024/01/19 9:58 p.m.4 views

GHSA-C24V-8RFC-W8VW Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Summary Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to host...

7.5CVSS7AI score0.03152EPSS
Exploits2References9
Vulnrichment
Vulnrichment
added 2024/01/19 7:43 p.m.2 views

CVE-2024-23331 Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area...

7.5CVSS7AI score0.00791EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2023/12/05 11:31 p.m.86 views

Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

Summary When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transformed output by supplying a...

6.1CVSS6.7AI score0.00997EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder