cbcvebase.
CVE-2025-24010
published 2025-01-20

CVE-2025-24010: Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to…

PriorityP432medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
0.28%
20.0th percentile
Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.

Affected

9 ranges
VendorProductVersion rangeFixed in
vitejsvite< 4.5.64.5.6
vitejsvite< 4.5.54.5.5
vitejsvite
vitejsvite
vitejsvite>= 0 < 4.5.64.5.6
vitejsvite>= 5.0.0 < 5.4.125.4.12
vitejsvite>= 5.0.0 < 5.4.125.4.12
vitejsvite>= 6.0.0 < 6.0.96.0.9
vitejsvite>= 6.0.0 < 6.0.96.0.9

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.