14 matches found
CVE-2025-46565
CVE-2025-46565 (Vite) affects Vite < 6.3.4, < 6.2.7, < 6.1.6, < 5.4.19, and
CVE-2025-30208
CVE-2025-30208 (Vite) : In affected Vite versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10, an attacker can bypass file-access controls via URLs using trailing query markers (e.g., ?raw?? or ?import&raw??), causing arbitrary files to be exposed when the dev server is network-accessible. ...
CVE-2025-24010
CVE-2025-24010 affects Vite, a JavaScript frontend tooling framework. The flaw arises from permissive CORS settings and lack of Origin header validation for WebSocket connections, enabling unauthenticated cross-origin access to the development server. The vulnerability is mitigated by upgrades to...
CVE-2024-23331
CVE-2024-23331 (Vite) : The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems by using case-augmented filenames. The issue occurs because picomatch defaults to case-sensitive glob matching, while the file server does not, enabling a blacklist bypass and potent...
CVE-2025-31125
Summary of CVE-2025-31125 (Vite): Viteโs dev server, when exposed to the network (e.g., via --host or server.host), can disclose content of non-allowed files through URL modifiers like ?inline&import or ?raw?import. The issue is specific to Vite when the dev server is reachable externally; it doe...
CVE-2026-53571
CVE-2026-53571 affects the Vite dev server. On Windows, the denial mechanism implemented by the option server.fs.deny fails to normalize NTFS ADS path forms before access checks, allowing bypasses such as /.env::$DATA?raw and access via 8.3 short-name tricks. This can enable exposure of sensitive...
CVE-2023-34092
Vite core fix for CVE-2023-34092 (also echoed in related CVEs) describes a bypass of server.fs.deny via double-slash to read files from the Vite project root when the dev server is exposed (โhost or server.host). Affected versions before the fixes include: 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and ...
CVE-2023-49293
Vite HTML transformation vulnerability (CVE-2023-49293) affects apps using appType: 'custom' with the default HTML middleware. When server.transformIndexHtml is invoked manually and the transformed HTML contains inline [removed], an unmodified request URL in the HTML being transformed can allow i...
CVE-2022-35204
Vitejs Vite before v2.9.13 is vulnerable to directory traversal via a crafted URL to the victimโs service; update to v2.9.13 or later to resolve the issue (per PT-2022-22631).
CVE-2025-58751
CVE-2025-58751 involves a path traversal issue in Vite Dev Server. The vulnerability affects apps that explicitly expose the Vite dev server to the network (using --host or server.host) and have the public directory feature enabled (default) with a symlink inside the public directory. In versions...
CVE-2025-58752
Vite CVE-2025-58752 affects the dev and preview servers when exposed on the network: HTML files on the local machine could be served despite server.fs settings, depending on app exposure and appType configuration. Affected versions are <7.1.5, <7.0.7, <6.3.6, and
CVE-2026-39365
Vite Dev Server path traversal in optimized dependencies .map handling affects versions prior to 6.4.2, 7.3.2, and 8.0.5. The server resolves file paths via normalizePath(path.resolve(root, url.slice(1))) and calls readFile without restricting ../ segments, allowing retrieval of .map files outsid...
CVE-2026-39363
CVE-2026-39363 affects Vite Dev Server. The WebSocket-based fetchModule RPC can be invoked without an Origin header, bypassing HTTP path access checks and enabling arbitrary file reads via file:// URLs combined with ?raw or ?inline. This occurs in Vite versions 6.0.0 up to before 6.4.2, 7.3.2, an...
CVE-2026-39364
CVE-2026-39364 affects the Vite dev server. Vulnerable versions include Vite 7.1.0 through 7.3.1 and 8.0.0 through 8.0.4; on those, files that should be blocked by server.fs.deny (e.g., .env, *.crt) could be retrieved via HTTP 200 when requesting with certain query params (?raw, ?import&raw, or ?...