Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-62522Path Traversal in Vite

CWE-22Path Traversal6 documents6 sources
Severity
6.0MEDIUMNVD
EPSS
1.1%
top 21.88%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Vitejs Vite
Timeline
PublishedOct 20
Latest updateMar 12

Description

Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versi

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

npmvitejs/vite7.1.07.1.11+6
CVEListV5vitejs/vite7 versions+6

🔴Vulnerability Details

2
OSV
vite allows server.fs.deny bypass via backslash on Windows2025-10-20
GHSA
vite allows server.fs.deny bypass via backslash on Windows2025-10-20

💥Exploits & PoCs

1
Nuclei
Vite - Information Disclosure

📋Vendor Advisories

2
CISA ICS
Siemens SIDIS Prime2026-03-12
Red Hat
vite: vite allows server.fs.deny bypass via backslash on Windows2025-10-20