CVE-2025-62522
published 2025-10-20CVE-2025-62522: Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before…
PriorityP346medium6CVSS 4.0
AVNACLATPPRNUIPVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.03%
59.4th percentile
Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | >= 2.9.18 < 5.4.21 | 5.4.21 |
| vitejs | vite | >= 3.2.9 < 5.4.21 | 5.4.21 |
| vitejs | vite | >= 4.5.3 < 5.4.21 | 5.4.21 |
| vitejs | vite | >= 5.2.6 < 5.4.21 | 5.4.21 |
| vitejs | vite | >= 6.0.0 < 6.4.1 | 6.4.1 |
| vitejs | vite | >= 7.0.0 < 7.0.8 | 7.0.8 |
| vitejs | vite | >= 7.1.0 < 7.1.11 | 7.1.11 |
CVSS provenance
nvdv4.06.0MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
vite allows server.fs.deny bypass via backslash on Windows
osv·2025-10-20
CVE-2025-62522 [MEDIUM] vite allows server.fs.deny bypass via backslash on Windows
vite allows server.fs.deny bypass via backslash on Windows
### Summary
Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` when the dev server is running on Windows.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))
- running the dev server on Windows
### Details
`server.fs.deny` can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass by using a back slash(`\`). The root cause is that `fs.readFile('/foo.png/')` loads `/foo.png`.
GHSA
vite allows server.fs.deny bypass via backslash on Windows
ghsa·2025-10-20
CVE-2025-62522 [MEDIUM] CWE-22 vite allows server.fs.deny bypass via backslash on Windows
vite allows server.fs.deny bypass via backslash on Windows
### Summary
Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` when the dev server is running on Windows.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))
- running the dev server on Windows
### Details
`server.fs.deny` can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass by using a back slash(`\`). The root cause is that `fs.readFile('/foo.png/')` loads `/foo.png`.
CISA ICS
Siemens SIDIS Prime
cisa_ics·2026-03-12·CVSS 7.5
[HIGH] Siemens SIDIS Prime
ICS Advisory
##
Siemens SIDIS Prime
Release DateMarch 12, 2026
Alert CodeICSA-26-071-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
SIDIS Prime before V4.0.800 is affected by multiple vulnerabilities in the components OpenSSL, SQLite, and several Node.js packages as described below. Siemens has released a new version of SIDIS Prime and recommends to update to the latest version.
The following versions of Siemens SIDIS Prime are affected:
- SIDIS Prime vers:intdot/<4.0.800 (CVE-2024-29857, CVE-2024-30171, CVE-2024-30172, CVE-2024-41996, CVE-2025-6965, CVE-2025-7783, CVE-2025-9230, CVE-2025-9232, CVE-2025-9670, CVE-2025-12816, CVE-2025-15284, CVE-2025-58751, CVE-2025-58752, CVE-2025-58754, CVE-202
Red Hat
vite: vite allows server.fs.deny bypass via backslash on Windows
vendor_redhat·2025-10-20·CVSS 6.0
CVE-2025-62522 [MEDIUM] CWE-22 vite: vite allows server.fs.deny bypass via backslash on Windows
vite: vite allows server.fs.deny bypass via backslash on Windows
Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
A path traversal flaw has been discovered in the Vite npm package. In affected versions, files denied by a server.fs.deny rule were sent if the URL ended with \ when the dev server is running on
No detection rules found.
Nuclei
Vite - Information Disclosure
nuclei·CVSS 6.0
CVE-2025-62522 [MEDIUM] Vite - Information Disclosure
Vite - Information Disclosure
Vite is a frontend tooling framework for JavaScript.In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
Template:
id: CVE-2025-62522
info:
name: Vite - Information Disclosure
author: DhiyaneshDK
severity: medium
description: |
Vite is a frontend tooling framework for JavaScript.In versions from 2.9.18 to before 3.0.0, 3.2.9 to befo
No writeups or analysis indexed.
2025-10-20
Published