CVE-2025-62522
6
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| vitejs | vite | >= 7.1.0, < 7.1.11 | affected |
| vitejs | vite | >= 7.0.0, < 7.0.8 | affected |
| vitejs | vite | >= 6.0.0, < 6.4.1 | affected |
| vitejs | vite | >= 5.2.6, < 5.4.21 | affected |
| vitejs | vite | >= 4.5.3, < 5.0.0 | affected |
| vitejs | vite | >= 3.2.9, < 4.0.0 | affected |
| vitejs | vite | >= 2.9.18, < 3.0.0 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7
- https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.