Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-46565Path Traversal in Vite

CWE-22Path Traversal7 documents6 sources
Severity
6.0MEDIUMNVD
OSV7.5
EPSS
1.5%
top 18.90%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Vitejs ViteGobgp
Timeline
PublishedMay 1
Latest updateJul 22

Description

Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching aga

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

NVDvitejs/vite5.0.05.4.19+4
npmvitejs/vite6.3.06.3.4+4
CVEListV5vitejs/vite4 versions+3
Ubuntugobgp/gobgp< 1.29-1ubuntu0.1+esm1+3

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
gobgp vulnerabilities2025-07-22
GHSA
Vite's server.fs.deny bypassed with /. for files under project root2025-04-30
OSV
Vite's server.fs.deny bypassed with /. for files under project root2025-04-30

💥Exploits & PoCs

1
Nuclei
Vite Dev Server - Information Exposure

📋Vendor Advisories

1
Red Hat
vite: Path Traversal in Vite Dev Server Allows Access to Restricted Files2025-05-01

🕵️Threat Intelligence

1
Greynoiseio
NoiseLetter March 2026