VYPR
Moderate severityNVD Advisory· Published May 1, 2025· Updated May 2, 2025

Vite's server.fs.deny bypassed with /. for files under project root

CVE-2025-46565

Description

Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under root by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
vitenpm
>= 6.3.0, < 6.3.46.3.4
vitenpm
>= 6.2.0, < 6.2.76.2.7
vitenpm
>= 6.0.0, < 6.1.66.1.6
vitenpm
>= 5.0.0, < 5.4.195.4.19
vitenpm
< 4.5.144.5.14

Affected products

20

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.