npm package
vite
pkg:npm/vite
Vulnerabilities (19)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-39365 | Med | 5.3 | >= 8.0.0, < 8.0.5 | 8.0.5 | Apr 7, 2026 | Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible | |
| CVE-2026-39364 | Hig | 7.5 | >= 8.0.0, < 8.0.5 | 8.0.5 | Apr 7, 2026 | Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?impo | |
| CVE-2026-39363 | Hig | 7.5 | >= 8.0.0, < 8.0.5 | 8.0.5 | Apr 7, 2026 | Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine f | |
| CVE-2025-62522 | Med | — | >= 7.1.0, < 7.1.11 | 7.1.11 | Oct 20, 2025 | Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent i | |
| CVE-2025-58752 | — | >= 7.1.0, < 7.1.5 | 7.1.5 | Sep 8, 2025 | Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.ho | ||
| CVE-2025-58751 | — | >= 7.1.0, < 7.1.5 | 7.1.5 | Sep 8, 2025 | Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network | ||
| CVE-2025-46565 | — | >= 6.3.0, < 6.3.4 | 6.3.4 | May 1, 2025 | Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server t | ||
| CVE-2025-32395 | Med | — | >= 6.2.0, < 6.2.6 | 6.2.6 | Apr 10, 2025 | Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Althoug | |
| CVE-2025-31486 | Med | 5.3 | >= 6.2.0, < 6.2.5 | 6.2.5 | Apr 3, 2025 | Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file | |
| CVE-2025-31125 | — | KEV | >= 6.2.0, < 6.2.4 | 6.2.4 | Mar 31, 2025 | Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fix | |
| CVE-2025-30208 | — | >= 6.2.0, < 6.2.3 | 6.2.3 | Mar 24, 2025 | Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns | ||
| CVE-2025-24010 | — | >= 6.0.0, < 6.0.9 | 6.0.9 | Jan 20, 2025 | Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6 | ||
| CVE-2024-45812 | Med | 6.4 | >= 5.4.0, < 5.4.6 | 5.4.6 | Sep 17, 2024 | Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in | |
| CVE-2024-45811 | Med | 4.8 | >= 5.4.0, < 5.4.6 | 5.4.6 | Sep 17, 2024 | Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the f | |
| CVE-2024-31207 | Med | 5.9 | >= 2.7.0, < 2.9.18 | 2.9.18 | Apr 4, 2024 | Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, | |
| CVE-2024-23331 | — | >= 2.7.0, < 2.9.17 | 2.9.17 | Jan 19, 2024 | Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 - | ||
| CVE-2023-49293 | — | >= 4.4.0, < 4.4.12 | 4.4.12 | Dec 4, 2023 | Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (``), it | ||
| CVE-2023-34092 | — | < 2.9.16 | 2.9.16 | Jun 1, 2023 | Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application includin | ||
| CVE-2022-35204 | — | < 2.9.13 | 2.9.13 | Aug 18, 2022 | Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim's service. |
- affected >= 8.0.0, < 8.0.5fixed 8.0.5
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible
- affected >= 8.0.0, < 8.0.5fixed 8.0.5
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?impo
- affected >= 8.0.0, < 8.0.5fixed 8.0.5
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine f
- affected >= 7.1.0, < 7.1.11fixed 7.1.11
Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent i
- CVE-2025-58752Sep 8, 2025affected >= 7.1.0, < 7.1.5fixed 7.1.5
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.ho
- CVE-2025-58751Sep 8, 2025affected >= 7.1.0, < 7.1.5fixed 7.1.5
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network
- CVE-2025-46565May 1, 2025affected >= 6.3.0, < 6.3.4fixed 6.3.4
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server t
- affected >= 6.2.0, < 6.2.6fixed 6.2.6
Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Althoug
- affected >= 6.2.0, < 6.2.5fixed 6.2.5
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file
- affected >= 6.2.0, < 6.2.4fixed 6.2.4
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fix
- CVE-2025-30208Mar 24, 2025affected >= 6.2.0, < 6.2.3fixed 6.2.3
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns
- CVE-2025-24010Jan 20, 2025affected >= 6.0.0, < 6.0.9fixed 6.0.9
Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6
- affected >= 5.4.0, < 5.4.6fixed 5.4.6
Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in
- affected >= 5.4.0, < 5.4.6fixed 5.4.6
Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the f
- affected >= 2.7.0, < 2.9.18fixed 2.9.18
Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13,
- CVE-2024-23331Jan 19, 2024affected >= 2.7.0, < 2.9.17fixed 2.9.17
Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -
- CVE-2023-49293Dec 4, 2023affected >= 4.4.0, < 4.4.12fixed 4.4.12
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (``), it
- CVE-2023-34092Jun 1, 2023affected < 2.9.16fixed 2.9.16
Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application includin
- CVE-2022-35204Aug 18, 2022affected < 2.9.13fixed 2.9.13
Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim's service.