CVE-2025-24010 — Origin Validation Error in Vite

CWE-346 — Origin Validation Error CWE-350 — Reliance on Reverse DNS Resolution for a Security-Critical Action CWE-1385 — Missing Origin Validation in WebSockets4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 74.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vitejs Vite

Timeline

PublishedJan 20

Latest updateJan 21

Description

Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5vitejs/vite< 4.5.6+2

▶NVDvitejs/vite5.0.0 — 5.4.12+2

▶npmvitejs/vite6.0.0 — 6.0.9+2

🔴Vulnerability Details

OSV

Websites were able to send any requests to the development server and read the response in vite↗2025-01-21

▶

GHSA

Websites were able to send any requests to the development server and read the response in vite↗2025-01-21

▶

📋Vendor Advisories

Red Hat

vite: Vite allows any websites to send any requests to the development server and read the response↗2025-01-20

▶