Lucene search
K

14 matches found

CVE
CVE
โ€ขadded 2025/05/01 5:20 p.m.โ€ข628 views

CVE-2025-46565

CVE-2025-46565 (Vite) affects Vite < 6.3.4, < 6.2.7, < 6.1.6, < 5.4.19, and

6CVSS6.6AI score0.01077EPSS
CVE
CVE
โ€ขadded 2025/03/24 5:3 p.m.โ€ข412 views

CVE-2025-30208

CVE-2025-30208 (Vite) : In affected Vite versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10, an attacker can bypass file-access controls via URLs using trailing query markers (e.g., ?raw?? or ?import&raw??), causing arbitrary files to be exposed when the dev server is network-accessible. ...

7.5CVSS7.2AI score0.74998EPSS
Web
CVE
CVE
โ€ขadded 2025/01/20 3:53 p.m.โ€ข398 views

CVE-2025-24010

CVE-2025-24010 affects Vite, a JavaScript frontend tooling framework. The flaw arises from permissive CORS settings and lack of Origin header validation for WebSocket connections, enabling unauthenticated cross-origin access to the development server. The vulnerability is mitigated by upgrades to...

6.5CVSS6.3AI score0.00283EPSS
CVE
CVE
โ€ขadded 2024/01/19 7:43 p.m.โ€ข356 views

CVE-2024-23331

CVE-2024-23331 (Vite) : The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems by using case-augmented filenames. The issue occurs because picomatch defaults to case-sensitive glob matching, while the file server does not, enabling a blacklist bypass and potent...

7.5CVSS7.3AI score0.00791EPSS
CVE
CVE
โ€ขadded 2025/03/31 5:6 p.m.โ€ข313 views

CVE-2025-31125

Summary of CVE-2025-31125 (Vite): Viteโ€™s dev server, when exposed to the network (e.g., via --host or server.host), can disclose content of non-allowed files through URL modifiers like ?inline&import or ?raw?import. The issue is specific to Vite when the dev server is reachable externally; it doe...

7.5CVSS6.9AI score0.58765EPSS
In wild
CVE
CVE
โ€ขadded 2026/06/22 4:10 p.m.โ€ข200 views

CVE-2026-53571

CVE-2026-53571 affects the Vite dev server. On Windows, the denial mechanism implemented by the option server.fs.deny fails to normalize NTFS ADS path forms before access checks, allowing bypasses such as /.env::$DATA?raw and access via 8.3 short-name tricks. This can enable exposure of sensitive...

8.2CVSS5.9AI score0.00393EPSS
CVE
CVE
โ€ขadded 2023/06/01 4:29 p.m.โ€ข115 views

CVE-2023-34092

Vite core fix for CVE-2023-34092 (also echoed in related CVEs) describes a bypass of server.fs.deny via double-slash to read files from the Vite project root when the dev server is exposed (โ€“host or server.host). Affected versions before the fixes include: 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and ...

7.5CVSS7.2AI score0.03152EPSS
CVE
CVE
โ€ขadded 2023/12/04 11:3 p.m.โ€ข77 views

CVE-2023-49293

Vite HTML transformation vulnerability (CVE-2023-49293) affects apps using appType: 'custom' with the default HTML middleware. When server.transformIndexHtml is invoked manually and the transformed HTML contains inline [removed], an unmodified request URL in the HTML being transformed can allow i...

6.1CVSS6.1AI score0.00997EPSS
CVE
CVE
โ€ขadded 2022/08/18 6:15 p.m.โ€ข65 views

CVE-2022-35204

Vitejs Vite before v2.9.13 is vulnerable to directory traversal via a crafted URL to the victimโ€™s service; update to v2.9.13 or later to resolve the issue (per PT-2022-22631).

4.3CVSS4.6AI score0.01077EPSS
CVE
CVE
โ€ขadded 2025/09/08 10:52 p.m.โ€ข58 views

CVE-2025-58751

CVE-2025-58751 involves a path traversal issue in Vite Dev Server. The vulnerability affects apps that explicitly expose the Vite dev server to the network (using --host or server.host) and have the public directory feature enabled (default) with a symlink inside the public directory. In versions...

5.3CVSS6.4AI score0.0118EPSS
CVE
CVE
โ€ขadded 2025/09/08 10:56 p.m.โ€ข52 views

CVE-2025-58752

Vite CVE-2025-58752 affects the dev and preview servers when exposed on the network: HTML files on the local machine could be served despite server.fs settings, depending on app exposure and appType configuration. Affected versions are <7.1.5, <7.0.7, <6.3.6, and

5.3CVSS6.3AI score0.00586EPSS
CVE
CVE
โ€ขadded 2026/04/07 7:13 p.m.โ€ข45 views

CVE-2026-39365

Vite Dev Server path traversal in optimized dependencies .map handling affects versions prior to 6.4.2, 7.3.2, and 8.0.5. The server resolves file paths via normalizePath(path.resolve(root, url.slice(1))) and calls readFile without restricting ../ segments, allowing retrieval of .map files outsid...

6.3CVSS5.9AI score0.00914EPSS
In wild
CVE
CVE
โ€ขadded 2026/04/07 7:10 p.m.โ€ข44 views

CVE-2026-39363

CVE-2026-39363 affects Vite Dev Server. The WebSocket-based fetchModule RPC can be invoked without an Origin header, bypassing HTTP path access checks and enabling arbitrary file reads via file:// URLs combined with ?raw or ?inline. This occurs in Vite versions 6.0.0 up to before 6.4.2, 7.3.2, an...

8.2CVSS6.2AI score0.02907EPSS
CVE
CVE
โ€ขadded 2026/04/07 7:12 p.m.โ€ข27 views

CVE-2026-39364

CVE-2026-39364 affects the Vite dev server. Vulnerable versions include Vite 7.1.0 through 7.3.1 and 8.0.0 through 8.0.4; on those, files that should be blocked by server.fs.deny (e.g., .env, *.crt) could be retrieved via HTTP 200 when requesting with certain query params (?raw, ?import&raw, or ?...

8.2CVSS5.9AI score0.02095EPSS