CVE-2025-32395Sensitive Information Exposure in Vite

CWE-200Sensitive Information Exposure4 documents4 sources
Severity
6.0MEDIUMNVD
EPSS
0.2%
top 62.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Vitejs Vite
Timeline
PublishedApr 10
Latest updateApr 11

Description

Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2. On Node and Bun, t

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5vitejs/vite< 4.5.13+4
npmvitejs/vite6.2.06.2.6+4

🔴Vulnerability Details

2
OSV
Vite has an `server.fs.deny` bypass with an invalid `request-target`2025-04-11
GHSA
Vite has an `server.fs.deny` bypass with an invalid `request-target`2025-04-11

📋Vendor Advisories

1
Red Hat
vite: Vite has an `server.fs.deny` bypass with an invalid `request-target`2025-04-10