VYPR

Vendor CVEs

Vitejs

All CVEs

24 total · sorted by risk
  • CVE-2025-67489CriDec 9, 2025
    risk 0.57cvss 9.8epss 0.01

    @vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs (loadServerAction, decodeReply, decodeAction)…

  • CVE-2024-52011HigJun 1, 2026
    risk 0.42cvss epss 0.01

    launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that…

  • CVE-2026-39364HigApr 7, 2026
    risk 0.42cvss 7.5epss 0.02

    Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or…

  • CVE-2026-39363HigApr 7, 2026
    risk 0.42cvss 7.5epss 0.02

    Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and…

  • CVE-2025-68155HigDec 16, 2025
    risk 0.42cvss 7.5epss 0.01

    @vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to…

  • CVE-2026-53571higJun 15, 2026
    risk 0.38cvss epss 0.00

    ### Summary The contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite…

  • CVE-2024-45812MedSep 17, 2024
    risk 0.35cvss 6.4epss 0.01

    Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS)…

  • CVE-2025-62522MedOct 20, 2025
    risk 0.32cvss epss 0.01

    Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent…

  • CVE-2025-32395MedApr 10, 2025
    risk 0.32cvss epss 0.02

    Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target.…

  • CVE-2024-31207MedApr 4, 2024
    risk 0.31cvss 5.9epss 0.01

    Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13,…

  • CVE-2025-31486MedApr 3, 2025
    risk 0.30cvss 5.3epss 0.35

    Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the…

  • CVE-2026-39365MedApr 7, 2026
    risk 0.28cvss 5.3epss 0.01

    Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is…

  • CVE-2024-45811MedSep 17, 2024
    risk 0.24cvss 4.8epss 0.01

    Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the…

  • CVE-2025-31125KEVMar 31, 2025
    risk 0.10cvss epss 0.62

    Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is…

  • CVE-2025-30208Mar 24, 2025
    risk 0.02cvss epss 0.77

    Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and…

  • CVE-2023-49293Dec 4, 2023
    risk 0.01cvss epss 0.01

    Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (``), it…

  • CVE-2026-53632Jun 15, 2026
    risk 0.00cvss epss 0.00

    ### Summary The `launch-editor` NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled…

  • CVE-2025-58752Sep 8, 2025
    risk 0.00cvss epss 0.01

    Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or…

  • CVE-2025-58751Sep 8, 2025
    risk 0.00cvss epss 0.01

    Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network…

  • CVE-2025-46565May 1, 2025
    risk 0.00cvss epss 0.01

    Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server…

  • CVE-2025-24010Jan 20, 2025
    risk 0.00cvss epss 0.00

    Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in…

  • CVE-2024-23331Jan 19, 2024
    risk 0.00cvss epss 0.01

    Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092…

  • CVE-2023-34092Jun 1, 2023
    risk 0.00cvss epss 0.03

    Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application…

  • CVE-2022-35204Aug 18, 2022
    risk 0.00cvss epss 0.01

    Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim's service.