Vulnerabilites related to vitejs - vite
CVE-2025-24010 (GCVE-0-2025-24010)
Vulnerability from cvelistv5
Published
2025-01-20 15:53
Modified
2025-01-21 14:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24010",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T14:52:46.258360Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T14:52:53.680Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.0.9"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.4.12"
},
{
"status": "affected",
"version": "\u003c 4.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-350",
"description": "CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385: Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-20T15:53:30.929Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6"
}
],
"source": {
"advisory": "GHSA-vg6x-rcgg-rjx6",
"discovery": "UNKNOWN"
},
"title": "Vite allows any websites to send any requests to the development server and read the response"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24010",
"datePublished": "2025-01-20T15:53:30.929Z",
"dateReserved": "2025-01-16T17:31:06.457Z",
"dateUpdated": "2025-01-21T14:52:53.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45812 (GCVE-0-2024-45812)
Vulnerability from cvelistv5
Published
2024-09-17 20:08
Modified
2024-09-18 13:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`. However, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of `cjs`, `iife`, or `umd`) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"lessThan": "5.4.6",
"status": "affected",
"version": "5.4.0",
"versionType": "custom"
},
{
"lessThan": "5.3.6",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.2.14",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
},
{
"lessThan": "4.5.5",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "3.2.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45812",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T13:57:07.046459Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T13:59:14.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.4.0, \u003c 5.4.6"
},
{
"status": "affected",
"version": "\u003e= 5.3.0, \u003c 5.3.6"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.2.14"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.5.5"
},
{
"status": "affected",
"version": "\u003c 3.2.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`. However, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser\u0027s named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of `cjs`, `iife`, or `umd`) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T20:08:13.372Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3"
},
{
"name": "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986"
},
{
"name": "https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad"
},
{
"name": "https://research.securitum.com/xss-in-amp4email-dom-clobbering",
"tags": [
"x_refsource_MISC"
],
"url": "https://research.securitum.com/xss-in-amp4email-dom-clobbering"
},
{
"name": "https://scnps.co/papers/sp23_domclob.pdf",
"tags": [
"x_refsource_MISC"
],
"url": "https://scnps.co/papers/sp23_domclob.pdf"
}
],
"source": {
"advisory": "GHSA-64vr-g452-qvp3",
"discovery": "UNKNOWN"
},
"title": "DOM Clobbering gadget found in vite bundled scripts that leads to XSS in Vite"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45812",
"datePublished": "2024-09-17T20:08:13.372Z",
"dateReserved": "2024-09-09T14:23:07.505Z",
"dateUpdated": "2024-09-18T13:59:14.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49293 (GCVE-0-2023-49293)
Vulnerability from cvelistv5
Published
2023-12-04 23:03
Modified
2025-05-29 13:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:53:44.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49293",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-29T13:40:33.559187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T13:40:53.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"status": "affected",
"version": "\u003e=4.4.0, \u003c 4.4.12"
},
{
"status": "affected",
"version": "= 4.5.0"
},
{
"status": "affected",
"version": "\u003e=5.0.0, \u003c 5.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vite is a website frontend framework. When Vite\u0027s HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`\u003cscript type=\"module\"\u003e...\u003c/script\u003e`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: \u0027custom\u0027` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren\u0027t exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-04T23:03:30.752Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97"
}
],
"source": {
"advisory": "GHSA-92r3-m2mg-pj97",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in `server.transformIndexHtml` via URL payload in vite"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49293",
"datePublished": "2023-12-04T23:03:30.752Z",
"dateReserved": "2023-11-24T16:45:24.313Z",
"dateUpdated": "2025-05-29T13:40:53.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32395 (GCVE-0-2025-32395)
Vulnerability from cvelistv5
Published
2025-04-10 13:25
Modified
2025-04-10 14:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2. On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) and running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) are affected. This vulnerability is fixed in 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32395",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T14:14:30.473382Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T14:14:40.591Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.2.0, \u003c 6.2.6"
},
{
"status": "affected",
"version": "\u003e= 6.1.0, \u003c 6.1.5"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.0.15"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.4.18"
},
{
"status": "affected",
"version": "\u003c 4.5.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2. On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won\u0027t contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) and running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) are affected. This vulnerability is fixed in 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T13:25:19.177Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4"
},
{
"name": "https://github.com/vitejs/vite/commit/175a83909f02d3b554452a7bd02b9f340cdfef70",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/175a83909f02d3b554452a7bd02b9f340cdfef70"
}
],
"source": {
"advisory": "GHSA-356w-63v5-8wf4",
"discovery": "UNKNOWN"
},
"title": "Vite has an `server.fs.deny` bypass with an invalid `request-target`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32395",
"datePublished": "2025-04-10T13:25:19.177Z",
"dateReserved": "2025-04-06T19:46:02.464Z",
"dateUpdated": "2025-04-10T14:14:40.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31486 (GCVE-0-2025-31486)
Vulnerability from cvelistv5
Published
2025-04-03 18:24
Modified
2025-04-03 20:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31486",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T20:39:24.672022Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T20:39:28.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.5.12"
},
{
"status": "affected",
"version": "\u003e=5.0.0, \u003c 5.4.17"
},
{
"status": "affected",
"version": "\u003e=6.0.0, \u003c 6.0.14"
},
{
"status": "affected",
"version": "\u003e=6.1.0, \u003c 6.1.4"
},
{
"status": "affected",
"version": "\u003e=6.2.0, \u003c 6.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T18:24:39.616Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x"
},
{
"name": "https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647"
},
{
"name": "https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290"
}
],
"source": {
"advisory": "GHSA-xcj6-pq6g-qj4x",
"discovery": "UNKNOWN"
},
"title": "Vite allows server.fs.deny to be bypassed with .svg or relative paths"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31486",
"datePublished": "2025-04-03T18:24:39.616Z",
"dateReserved": "2025-03-28T13:36:51.298Z",
"dateUpdated": "2025-04-03T20:39:28.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34092 (GCVE-0-2023-34092)
Vulnerability from cvelistv5
Published
2023-06-01 16:29
Modified
2025-01-08 21:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5, vite@3.2.7, and vite@2.9.16.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:01:53.638Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67"
},
{
"name": "https://github.com/vitejs/vite/pull/13348",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/pull/13348"
},
{
"name": "https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34092",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T21:13:03.335508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T21:13:20.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"status": "affected",
"version": "\u003c 2.9.16"
},
{
"status": "affected",
"version": "\u003e= 3.0.2, \u003c 3.2.7"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.5"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.5"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.3"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`[\u0027.env\u0027, \u0027.env.*\u0027, \u0027*.{crt,pem}\u0027]`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5, vite@3.2.7, and vite@2.9.16."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-50",
"description": "CWE-50: Path Equivalence: \u0027//multiple/leading/slash\u0027",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-01T16:29:51.428Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67"
},
{
"name": "https://github.com/vitejs/vite/pull/13348",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/pull/13348"
},
{
"name": "https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32"
}
],
"source": {
"advisory": "GHSA-353f-5xf4-qw67",
"discovery": "UNKNOWN"
},
"title": "Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34092",
"datePublished": "2023-06-01T16:29:51.428Z",
"dateReserved": "2023-05-25T21:56:51.244Z",
"dateUpdated": "2025-01-08T21:13:20.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30208 (GCVE-0-2025-30208)
Vulnerability from cvelistv5
Published
2025-03-24 17:03
Modified
2025-03-24 17:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30208",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T17:40:42.736527Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T17:46:37.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.5.10"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.4.15"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.0.12"
},
{
"status": "affected",
"version": "\u003e= 6.1.0, \u003c 6.1.2"
},
{
"status": "affected",
"version": "\u003e= 6.2.0, \u003c 6.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import\u0026raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T17:03:40.728Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w"
},
{
"name": "https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4"
},
{
"name": "https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c"
},
{
"name": "https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41"
},
{
"name": "https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca"
},
{
"name": "https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1"
}
],
"source": {
"advisory": "GHSA-x574-m823-4x7w",
"discovery": "UNKNOWN"
},
"title": "Vite bypasses server.fs.deny when using `?raw??`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30208",
"datePublished": "2025-03-24T17:03:40.728Z",
"dateReserved": "2025-03-18T18:15:13.849Z",
"dateUpdated": "2025-03-24T17:46:37.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31125 (GCVE-0-2025-31125)
Vulnerability from cvelistv5
Published
2025-03-31 17:06
Modified
2025-03-31 17:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31125",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T17:59:19.450898Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T17:59:26.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.2.0, \u003c 6.2.4"
},
{
"status": "affected",
"version": "\u003e= 6.1.0, \u003c 6.1.3"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.0.13"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.4.16"
},
{
"status": "affected",
"version": "\u003c 4.5.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline\u0026import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T17:31:51.583Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8"
},
{
"name": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949"
}
],
"source": {
"advisory": "GHSA-4r4m-qw57-chr8",
"discovery": "UNKNOWN"
},
"title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31125",
"datePublished": "2025-03-31T17:06:30.704Z",
"dateReserved": "2025-03-26T15:04:52.626Z",
"dateUpdated": "2025-03-31T17:59:26.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31207 (GCVE-0-2024-31207)
Vulnerability from cvelistv5
Published
2024-04-04 15:51
Modified
2024-08-02 01:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31207",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-04T17:23:36.781933Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:36:11.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g"
},
{
"name": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0"
},
{
"name": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48"
},
{
"name": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67"
},
{
"name": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9"
},
{
"name": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258"
},
{
"name": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c= 2.9.17"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.2.8"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c= 4.5.2"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c= 5.0.12"
},
{
"status": "affected",
"version": "\u003e= 5.1.0, \u003c= 5.1.6"
},
{
"status": "affected",
"version": "\u003e= 5.2.0, \u003c= 5.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vite (French word for \"quick\", pronounced /vit/, like \"veet\") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-04T15:51:54.683Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g"
},
{
"name": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0"
},
{
"name": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48"
},
{
"name": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67"
},
{
"name": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9"
},
{
"name": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258"
},
{
"name": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649"
}
],
"source": {
"advisory": "GHSA-8jhw-289h-jh2g",
"discovery": "UNKNOWN"
},
"title": "Vite\u0027s `server.fs.deny` did not deny requests for patterns with directories"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31207",
"datePublished": "2024-04-04T15:51:54.683Z",
"dateReserved": "2024-03-29T14:16:31.900Z",
"dateUpdated": "2024-08-02T01:46:04.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23331 (GCVE-0-2024-23331)
Vulnerability from cvelistv5
Published
2024-01-19 19:43
Modified
2025-06-17 21:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.203Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw"
},
{
"name": "https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5"
},
{
"name": "https://vitejs.dev/config/server-options.html#server-fs-deny",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vitejs.dev/config/server-options.html#server-fs-deny"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23331",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-22T14:54:35.729020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:19:25.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"status": "affected",
"version": "\u003e=2.7.0, \u003c 2.9.17"
},
{
"status": "affected",
"version": "\u003e=3.0.0, \u003c3.2.8"
},
{
"status": "affected",
"version": "\u003e=4.0.0, \u003c 4.5.2"
},
{
"status": "affected",
"version": "\u003e=5.0.0, \u003c 5.0.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn\u0027t discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178: Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-19T19:43:17.404Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw"
},
{
"name": "https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5"
},
{
"name": "https://vitejs.dev/config/server-options.html#server-fs-deny",
"tags": [
"x_refsource_MISC"
],
"url": "https://vitejs.dev/config/server-options.html#server-fs-deny"
}
],
"source": {
"advisory": "GHSA-c24v-8rfc-w8vw",
"discovery": "UNKNOWN"
},
"title": "Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23331",
"datePublished": "2024-01-19T19:43:17.404Z",
"dateReserved": "2024-01-15T15:19:19.442Z",
"dateUpdated": "2025-06-17T21:19:25.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46565 (GCVE-0-2025-46565)
Vulnerability from cvelistv5
Published
2025-05-01 17:20
Modified
2025-05-02 17:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46565",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-02T17:38:51.291423Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-02T17:38:55.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.3.0, \u003c 6.3.4"
},
{
"status": "affected",
"version": "\u003e= 6.2.0, \u003c 6.2.7"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.1.6"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.4.19"
},
{
"status": "affected",
"version": "\u003c 4.5.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T17:20:29.773Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3"
},
{
"name": "https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb"
}
],
"source": {
"advisory": "GHSA-859w-5945-r5v3",
"discovery": "UNKNOWN"
},
"title": "Vite\u0027s server.fs.deny bypassed with /. for files under project root"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46565",
"datePublished": "2025-05-01T17:20:29.773Z",
"dateReserved": "2025-04-24T21:10:48.174Z",
"dateUpdated": "2025-05-02T17:38:55.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35204 (GCVE-0-2022-35204)
Vulnerability from cvelistv5
Published
2022-08-18 18:15
Modified
2024-08-03 09:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim's service.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:29:17.456Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/issues/8498"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/releases/tag/v2.9.13"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/releases/tag/v3.0.0-beta.4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim\u0027s service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-18T18:14:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/issues/8498"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/releases/tag/v2.9.13"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/releases/tag/v3.0.0-beta.4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-35204",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim\u0027s service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/vitejs/vite/issues/8498",
"refsource": "MISC",
"url": "https://github.com/vitejs/vite/issues/8498"
},
{
"name": "https://github.com/vitejs/vite/releases/tag/v2.9.13",
"refsource": "MISC",
"url": "https://github.com/vitejs/vite/releases/tag/v2.9.13"
},
{
"name": "https://github.com/vitejs/vite/releases/tag/v3.0.0-beta.4",
"refsource": "MISC",
"url": "https://github.com/vitejs/vite/releases/tag/v3.0.0-beta.4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35204",
"datePublished": "2022-08-18T18:15:21",
"dateReserved": "2022-07-04T00:00:00",
"dateUpdated": "2024-08-03T09:29:17.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45811 (GCVE-0-2024-45811)
Vulnerability from cvelistv5
Published
2024-09-17 20:08
Modified
2024-09-18 14:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"lessThan": "5.4.6",
"status": "affected",
"version": "5.4.0",
"versionType": "custom"
},
{
"lessThan": "5.3.6",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.2.14",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
},
{
"lessThan": "4.5.5",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "3.2.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45811",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T13:59:58.812671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T14:06:21.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.4.0, \u003c 5.4.6"
},
{
"status": "affected",
"version": "\u003e= 5.3.0, \u003c 5.3.6"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.2.14"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.5.5"
},
{
"status": "affected",
"version": "\u003c 3.2.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import\u0026raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T20:08:11.801Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx"
},
{
"name": "https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34"
}
],
"source": {
"advisory": "GHSA-9cwx-2883-4wfx",
"discovery": "UNKNOWN"
},
"title": "server.fs.deny bypassed when using ?import\u0026raw in vite"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45811",
"datePublished": "2024-09-17T20:08:11.801Z",
"dateReserved": "2024-09-09T14:23:07.505Z",
"dateUpdated": "2024-09-18T14:06:21.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2022-08-18 19:15
Modified
2024-11-21 07:10
Severity ?
Summary
Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim's service.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/vitejs/vite/issues/8498 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/vitejs/vite/releases/tag/v2.9.13 | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://github.com/vitejs/vite/releases/tag/v3.0.0-beta.4 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vitejs/vite/issues/8498 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vitejs/vite/releases/tag/v2.9.13 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vitejs/vite/releases/tag/v3.0.0-beta.4 | Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "BA74D018-9C42-4064-99A8-59E31BAB5856",
"versionEndExcluding": "2.9.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim\u0027s service."
},
{
"lang": "es",
"value": "Se ha detectado que Vitejs Vite versiones anteriores a v2.9.13, permit\u00eda a atacantes llevar a cabo un salto de directorio por medio de una URL dise\u00f1ada al servicio de la v\u00edctima."
}
],
"id": "CVE-2022-35204",
"lastModified": "2024-11-21T07:10:53.847",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-18T19:15:14.550",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vitejs/vite/issues/8498"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/vitejs/vite/releases/tag/v2.9.13"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/vitejs/vite/releases/tag/v3.0.0-beta.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vitejs/vite/issues/8498"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/vitejs/vite/releases/tag/v2.9.13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/vitejs/vite/releases/tag/v3.0.0-beta.4"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-01 17:15
Modified
2024-11-21 08:06
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5, vite@3.2.7, and vite@2.9.16.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32 | Patch | |
| security-advisories@github.com | https://github.com/vitejs/vite/pull/13348 | Patch | |
| security-advisories@github.com | https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vitejs/vite/pull/13348 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67 | Exploit, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "81E9D1EB-AFE2-43D9-A781-282140779EBF",
"versionEndExcluding": "3.2.7",
"versionStartIncluding": "3.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "9A9DC92A-6C2A-48BC-B6B2-365E1589131F",
"versionEndExcluding": "4.0.5",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "3885C89E-1319-458B-9497-95485DD45953",
"versionEndExcluding": "4.1.5",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "B0F04F02-C6BA-4BFB-ACD6-96CBF811BB5E",
"versionEndExcluding": "4.2.3",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "3628D78A-7E86-490F-961F-9C3F538FBCEE",
"versionEndExcluding": "4.3.9",
"versionStartIncluding": "4.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:2.9.15:*:*:*:*:node.js:*:*",
"matchCriteriaId": "25EB63DE-73B0-4901-959E-FFF4FAD2CDE5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`[\u0027.env\u0027, \u0027.env.*\u0027, \u0027*.{crt,pem}\u0027]`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5, vite@3.2.7, and vite@2.9.16."
}
],
"id": "CVE-2023-34092",
"lastModified": "2024-11-21T08:06:31.573",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-01T17:15:10.947",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/vitejs/vite/pull/13348"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/vitejs/vite/pull/13348"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-50"
},
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-706"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-19 20:15
Modified
2024-11-21 08:57
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5 | Patch | |
| security-advisories@github.com | https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw | Exploit, Vendor Advisory | |
| security-advisories@github.com | https://vitejs.dev/config/server-options.html#server-fs-deny | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vitejs.dev/config/server-options.html#server-fs-deny | Product |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "CA6E1BE3-E530-4BB3-8086-856A30ECC2AA",
"versionEndExcluding": "2.9.17",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "C09B4AF4-B3E4-457D-A5DB-CAB25D164084",
"versionEndExcluding": "3.2.8",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "78A4B866-994A-4B61-80AC-DDBCB478C66E",
"versionEndExcluding": "4.5.2",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "5A0695F1-5643-4269-94C7-29F156D936F8",
"versionEndExcluding": "5.0.12",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn\u0027t discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers."
},
{
"lang": "es",
"value": "Vite es un framework de herramientas frontend para javascript. La opci\u00f3n del servidor de desarrollo de Vite `server.fs.deny` se puede omitir en sistemas de archivos que no distinguen entre may\u00fasculas y min\u00fasculas utilizando versiones de nombres de archivos aumentadas entre may\u00fasculas y min\u00fasculas. Cabe destacar que esto afecta a los servidores alojados en Windows. Esta omisi\u00f3n es similar a CVE-2023-34092, con un \u00e1rea de superficie reducida para hosts que tienen sistemas de archivos que no distinguen entre may\u00fasculas y min\u00fasculas. Dado que `picomatch` por defecto utiliza coincidencias globales que distinguen entre may\u00fasculas y min\u00fasculas, pero el servidor de archivos no discrimina; es posible omitir la lista negra. Al solicitar rutas de sistema de archivos sin formato usando may\u00fasculas aumentadas, el comparador derivado de `config.server.fs.deny` no logra bloquear el acceso a archivos confidenciales. Este problema se ha solucionado en vite@5.0.12, vite@4.5.2, vite@3.2.8 y vite@2.9.17. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben restringir el acceso a los servidores de desarrollo."
}
],
"id": "CVE-2024-23331",
"lastModified": "2024-11-21T08:57:31.573",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-19T20:15:14.070",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://vitejs.dev/config/server-options.html#server-fs-deny"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://vitejs.dev/config/server-options.html#server-fs-deny"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-178"
},
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-04 23:15
Modified
2024-11-21 08:33
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vitejs | vite | * | |
| vitejs | vite | * | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "794F0A24-E042-454A-8AF4-410CA6B9B7ED",
"versionEndIncluding": "4.4.11",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "5035825C-DE1D-4C3E-B80A-B80BAA9B9B83",
"versionEndIncluding": "5.0.4",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:-:*:*:*:node.js:*:*",
"matchCriteriaId": "49DB9151-3306-4887-B467-54BF1CB59077",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta0:*:*:*:node.js:*:*",
"matchCriteriaId": "AD12B845-C230-4731-A1C3-F7C8563EC330",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta1:*:*:*:node.js:*:*",
"matchCriteriaId": "71B39887-494A-42B0-97B5-3A27BBDA384F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta10:*:*:*:node.js:*:*",
"matchCriteriaId": "42748778-8084-4E85-A870-F4938B2B4197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta11:*:*:*:node.js:*:*",
"matchCriteriaId": "8CEA9A64-2C3B-48CD-B553-1B266E6D98DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta12:*:*:*:node.js:*:*",
"matchCriteriaId": "C4335B97-76B1-4B91-BDF1-0DFFB8B5D966",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta13:*:*:*:node.js:*:*",
"matchCriteriaId": "D4393D1C-F71A-4FBB-896E-91F5BDE99F5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta14:*:*:*:node.js:*:*",
"matchCriteriaId": "41F91182-DFB5-4900-967A-3467C1160FD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta15:*:*:*:node.js:*:*",
"matchCriteriaId": "E3A2BCC8-1B86-47D9-B1D9-374B3FAF452F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta16:*:*:*:node.js:*:*",
"matchCriteriaId": "659D1924-3224-4F96-B88C-1A98909C3129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta17:*:*:*:node.js:*:*",
"matchCriteriaId": "239A48C0-7571-46A9-ADF8-8044F89312DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta18:*:*:*:node.js:*:*",
"matchCriteriaId": "0DBF0C24-7E51-4E33-B265-872250BAAFFE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta19:*:*:*:node.js:*:*",
"matchCriteriaId": "061FD0EC-C333-43A4-B003-0B2C7CC5F377",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta2:*:*:*:node.js:*:*",
"matchCriteriaId": "CDAA6C11-11F8-466A-910F-CEB4ECA6C2B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta20:*:*:*:node.js:*:*",
"matchCriteriaId": "E3FE8672-FB0B-4E18-8830-85A858B4EBCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta3:*:*:*:node.js:*:*",
"matchCriteriaId": "9DBA3329-186A-48FD-A1F1-0F0F4487FEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta4:*:*:*:node.js:*:*",
"matchCriteriaId": "A4C137DE-8111-447B-AB2A-5DCF19C1EDE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta5:*:*:*:node.js:*:*",
"matchCriteriaId": "1866630A-7067-4B2D-BB66-FA5A49556046",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta6:*:*:*:node.js:*:*",
"matchCriteriaId": "0490F00F-EE92-4A86-A11F-7A81345700AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta7:*:*:*:node.js:*:*",
"matchCriteriaId": "F7947662-99E7-42FA-9F5B-FBB84B370E76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta8:*:*:*:node.js:*:*",
"matchCriteriaId": "DC5DF679-2F1D-4DDC-AD63-D4013D61D5F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta9:*:*:*:node.js:*:*",
"matchCriteriaId": "D3EE21DD-285A-4B6A-A607-60D4E3842B28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vite is a website frontend framework. When Vite\u0027s HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`\u003cscript type=\"module\"\u003e...\u003c/script\u003e`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: \u0027custom\u0027` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren\u0027t exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Vite es un framework de interfaz de sitio web. Cuando la transformaci\u00f3n HTML de Vite se invoca manualmente a trav\u00e9s de `server.transformIndexHtml`, la URL de solicitud original se pasa sin modificar y el `html` que se transforma contiene scripts de m\u00f3dulo en l\u00ednea (``), es posible inyectar HTML arbitrario en la salida transformada proporcionando una cadena de consulta URL maliciosa a `server.transformIndexHtml`. Solo se ven afectadas las aplicaciones que usan `appType: \u0027custom\u0027` y usan el middleware HTML predeterminado de Vite. La entrada HTML tambi\u00e9n debe contener un script en l\u00ednea. El ataque requiere que un usuario haga clic en una URL maliciosa mientras ejecuta el servidor de desarrollo. Los archivos restringidos no est\u00e1n expuestos al atacante. Este problema se ha solucionado en vite@5.0.5, vite@4.5.1 y vite@4.4.12. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2023-49293",
"lastModified": "2024-11-21T08:33:12.293",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-04T23:15:27.730",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}