cbcvebase.
CVE-2025-46565
published 2025-05-01

CVE-2025-46565: Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that…

PriorityP337medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
1.08%
60.8th percentile
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.

Affected

18 ranges
VendorProductVersion rangeFixed in
gobgpgobgp>= 0 < 1.29-1ubuntu0.1+esm11.29-1ubuntu0.1+esm1
gobgpgobgp>= 0 < 2.12.0-1ubuntu0.1~esm22.12.0-1ubuntu0.1~esm2
gobgpgobgp>= 0 < 2.25.0-3ubuntu0.1+esm22.25.0-3ubuntu0.1+esm2
gobgpgobgp>= 0 < 3.23.0-1ubuntu0.3+esm23.23.0-1ubuntu0.3+esm2
vitejsvite< 4.5.144.5.14
vitejsvite
vitejsvite
vitejsvite
vitejsvite
vitejsvite>= 0 < 4.5.144.5.14
vitejsvite>= 5.0.0 < 5.4.195.4.19
vitejsvite>= 5.0.0 < 5.4.195.4.19
vitejsvite>= 6.0.0 < 6.1.66.1.6
vitejsvite>= 6.0.0 < 6.1.66.1.6
vitejsvite>= 6.2.0 < 6.2.76.2.7
vitejsvite>= 6.2.0 < 6.2.76.2.7
vitejsvite>= 6.3.0 < 6.3.46.3.4
vitejsvite>= 6.3.0 < 6.3.46.3.4

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.06.0MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.5HIGH
vendor_redhat6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.