CVE-2025-24010
published 2025-01-20CVE-2025-24010: Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to…
PriorityP432medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
0.28%
20.0th percentile
Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vitejs | vite | < 4.5.6 | 4.5.6 |
| vitejs | vite | < 4.5.5 | 4.5.5 |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | >= 0 < 4.5.6 | 4.5.6 |
| vitejs | vite | >= 5.0.0 < 5.4.12 | 5.4.12 |
| vitejs | vite | >= 5.0.0 < 5.4.12 | 5.4.12 |
| vitejs | vite | >= 6.0.0 < 6.0.9 | 6.0.9 |
| vitejs | vite | >= 6.0.0 < 6.0.9 | 6.0.9 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Websites were able to send any requests to the development server and read the response in vite
osv·2025-01-21
CVE-2025-24010 [MEDIUM] Websites were able to send any requests to the development server and read the response in vite
Websites were able to send any requests to the development server and read the response in vite
### Summary
Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.
> [!WARNING]
> This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network.
### Upgrade Path
Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.
- Using the backend integration feature
- Using a reverse proxy in front of Vite
- Accessing the development server via a domain othe
GHSA
Websites were able to send any requests to the development server and read the response in vite
ghsa·2025-01-21
CVE-2025-24010 [MEDIUM] CWE-1385 Websites were able to send any requests to the development server and read the response in vite
Websites were able to send any requests to the development server and read the response in vite
### Summary
Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.
> [!WARNING]
> This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network.
### Upgrade Path
Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.
- Using the backend integration feature
- Using a reverse proxy in front of Vite
- Accessing the development server via a domain othe
Red Hat
vite: Vite allows any websites to send any requests to the development server and read the response
vendor_redhat·2025-01-20·CVSS 6.5
CVE-2025-24010 [MEDIUM] CWE-346 vite: Vite allows any websites to send any requests to the development server and read the response
vite: Vite allows any websites to send any requests to the development server and read the response
Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.
A flaw was found in the Vite frontend tooling framework for Node.js. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.
Package: automation-controller (Red Hat Ansible Automation Platform 2) - Not affected
Package: automation-eda-controller (Red H
No detection rules found.
No public exploits indexed.
2025-01-20
Published