Vite's server.fs.deny bypassed with /. for files under project root
Description
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under root by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vitenpm | >= 6.3.0, < 6.3.4 | 6.3.4 |
vitenpm | >= 6.2.0, < 6.2.7 | 6.2.7 |
vitenpm | >= 6.0.0, < 6.1.6 | 6.1.6 |
vitenpm | >= 5.0.0, < 5.4.19 | 5.4.19 |
vitenpm | < 4.5.14 | 4.5.14 |
Affected products
20- osv-coords19 versionspkg:apk/chainguard/vitepkg:apk/chainguard/vitess-18.0pkg:apk/chainguard/vitess-18.0-binariespkg:apk/chainguard/vitess-19.0pkg:apk/chainguard/vitess-19.0-binariespkg:apk/chainguard/vitess-20.0pkg:apk/chainguard/vitess-20.0-binariespkg:apk/chainguard/vitess-20.0-compatpkg:apk/chainguard/vitess-21.0pkg:apk/chainguard/vitess-21.0-binariespkg:apk/chainguard/vitess-21.0-compatpkg:apk/wolfi/vitepkg:apk/wolfi/vitess-20.0pkg:apk/wolfi/vitess-20.0-binariespkg:apk/wolfi/vitess-20.0-compatpkg:apk/wolfi/vitess-21.0pkg:apk/wolfi/vitess-21.0-binariespkg:apk/wolfi/vitess-21.0-compatpkg:npm/vite
< 6.3.4-r0+ 18 more
- (no CPE)range: < 6.3.4-r0
- (no CPE)range: < 18.0.8-r14
- (no CPE)range: < 18.0.8-r14
- (no CPE)range: < 19.0.10-r9
- (no CPE)range: < 19.0.10-r9
- (no CPE)range: < 20.0.7-r3
- (no CPE)range: < 20.0.7-r3
- (no CPE)range: < 20.0.7-r3
- (no CPE)range: < 21.0.4-r3
- (no CPE)range: < 21.0.4-r3
- (no CPE)range: < 21.0.4-r3
- (no CPE)range: < 6.3.4-r0
- (no CPE)range: < 20.0.7-r3
- (no CPE)range: < 20.0.7-r3
- (no CPE)range: < 20.0.7-r3
- (no CPE)range: < 21.0.4-r3
- (no CPE)range: < 21.0.4-r3
- (no CPE)range: < 21.0.4-r3
- (no CPE)range: >= 6.3.0, < 6.3.4
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-859w-5945-r5v3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-46565ghsaADVISORY
- github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacbghsax_refsource_MISCWEB
- github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.