CVE-2025-46565
published 2025-05-01CVE-2025-46565: Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that…
PriorityP337medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
1.08%
60.8th percentile
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gobgp | gobgp | >= 0 < 1.29-1ubuntu0.1+esm1 | 1.29-1ubuntu0.1+esm1 |
| gobgp | gobgp | >= 0 < 2.12.0-1ubuntu0.1~esm2 | 2.12.0-1ubuntu0.1~esm2 |
| gobgp | gobgp | >= 0 < 2.25.0-3ubuntu0.1+esm2 | 2.25.0-3ubuntu0.1+esm2 |
| gobgp | gobgp | >= 0 < 3.23.0-1ubuntu0.3+esm2 | 3.23.0-1ubuntu0.3+esm2 |
| vitejs | vite | < 4.5.14 | 4.5.14 |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | >= 0 < 4.5.14 | 4.5.14 |
| vitejs | vite | >= 5.0.0 < 5.4.19 | 5.4.19 |
| vitejs | vite | >= 5.0.0 < 5.4.19 | 5.4.19 |
| vitejs | vite | >= 6.0.0 < 6.1.6 | 6.1.6 |
| vitejs | vite | >= 6.0.0 < 6.1.6 | 6.1.6 |
| vitejs | vite | >= 6.2.0 < 6.2.7 | 6.2.7 |
| vitejs | vite | >= 6.2.0 < 6.2.7 | 6.2.7 |
| vitejs | vite | >= 6.3.0 < 6.3.4 | 6.3.4 |
| vitejs | vite | >= 6.3.0 < 6.3.4 | 6.3.4 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.06.0MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.5HIGH
vendor_redhat6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
vite: Path Traversal in Vite Dev Server Allows Access to Restricted Files
vendor_redhat·2025-05-01·CVSS 6.0
CVE-2025-46565 [MEDIUM] CWE-22 vite: Path Traversal in Vite Dev Server Allows Access to Restricted Files
vite: Path Traversal in Vite Dev Server Allows Access to Restricted Files
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6
OSV
gobgp vulnerabilities
osv·2025-07-22·CVSS 7.5
CVE-2023-46565 gobgp vulnerabilities
gobgp vulnerabilities
It was discovered that GoBGP did not properly manage memory under
certain circumstances, which could lead to a buffer overflow. An
attacker could possibly use this issue to cause a denial of service. This
issue was only addressed in Ubuntu 22.04 LTS and Ubuntu 20.04 LTS.
(CVE-2023-46565)
It was discovered that GoBGP did not properly verify the length of
certain inputs. An attacker could possibly use this issue to cause a
panic resulting in a denial of service.
(CVE-2025-43970, CVE-2025-43971, CVE-2025-43972, CVE-2025-43973)
GHSA
Vite's server.fs.deny bypassed with /. for files under project root
ghsa·2025-04-30
CVE-2025-46565 [MEDIUM] CWE-22 Vite's server.fs.deny bypassed with /. for files under project root
Vite's server.fs.deny bypassed with /. for files under project root
### Summary
The contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching pattern can be returned to the browser.
### Impact
Only apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.
Only files that are under [project `root`](https://vite.dev/config/shared-options.html#root) and are denied by a file matching pattern can be bypassed.
- Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`, `**/.env`
- Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*`
### Details
[`server.fs.deny`](https://vite.dev/c
OSV
Vite's server.fs.deny bypassed with /. for files under project root
osv·2025-04-30
CVE-2025-46565 [MEDIUM] Vite's server.fs.deny bypassed with /. for files under project root
Vite's server.fs.deny bypassed with /. for files under project root
### Summary
The contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching pattern can be returned to the browser.
### Impact
Only apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.
Only files that are under [project `root`](https://vite.dev/config/shared-options.html#root) and are denied by a file matching pattern can be bypassed.
- Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`, `**/.env`
- Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*`
### Details
[`server.fs.deny`](https://vite.dev/c
No detection rules found.
Nuclei
Vite Dev Server - Information Exposure
nuclei·CVSS 6.0
CVE-2025-46565 [MEDIUM] Vite Dev Server - Information Exposure
Vite Dev Server - Information Exposure
Vite is a frontend tooling framework for JavaScript. Before versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.1
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Bugzilla
CVE-2025-46565 vite: Path Traversal in Vite Dev Server Allows Access to Restricted Files
bugzilla·2025-05-01·CVSS 6.0
CVE-2025-46565 [MEDIUM] CVE-2025-46565 vite: Path Traversal in Vite Dev Server Allows Access to Restricted Files
CVE-2025-46565 vite: Path Traversal in Vite Dev Server Allows Access to Restricted Files
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patche
2025-05-01
Published