CVE-2025-46565
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using –host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under root by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| vitejs | vite | >= 6.3.0, < 6.3.4 | affected |
| vitejs | vite | >= 6.2.0, < 6.2.7 | affected |
| vitejs | vite | >= 6.0.0, < 6.1.6 | affected |
| vitejs | vite | >= 5.0.0, < 5.4.19 | affected |
| vitejs | vite | < 4.5.14 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3
- https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.