vite-5.4.11.tgz: 6 vulnerabilities (highest severity is: 6.5) #158
Description
Vulnerable Library - vite-5.4.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-5.4.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (vite version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-46565 |  Medium |
6.5 | vite-5.4.11.tgz | Direct | 5.4.19 | ❌ |
| CVE-2025-32395 | Medium |
6.5 | vite-5.4.11.tgz | Direct | 5.4.18 | ❌ |
| CVE-2025-24010 | Medium |
6.5 | vite-5.4.11.tgz | Direct | vite - 4.5.6,5.4.12,6.0.9 | ❌ |
| CVE-2025-31486 | Medium |
5.3 | vite-5.4.11.tgz | Direct | 5.4.17 | ❌ |
| CVE-2025-31125 | Medium |
5.3 | vite-5.4.11.tgz | Direct | 5.4.16 | ❌ |
| CVE-2025-30208 | Medium |
5.3 | vite-5.4.11.tgz | Direct | 5.4.15 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-46565
Vulnerable Library - vite-5.4.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-5.4.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-5.4.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. "server.fs.deny" can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under "root" by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
Publish Date: 2025-05-01
URL: CVE-2025-46565
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-859w-5945-r5v3
Release Date: 2025-05-01
Fix Resolution: 5.4.19
Step up your Open Source Security Game with Mend here
CVE-2025-32395
Vulnerable Library - vite-5.4.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-5.4.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-5.4.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2. On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) and running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) are affected. This vulnerability is fixed in 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13.
Publish Date: 2025-04-10
URL: CVE-2025-32395
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-356w-63v5-8wf4
Release Date: 2025-04-10
Fix Resolution: 5.4.18
Step up your Open Source Security Game with Mend here
CVE-2025-24010
Vulnerable Library - vite-5.4.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-5.4.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-5.4.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.
Publish Date: 2025-01-20
URL: CVE-2025-24010
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-vg6x-rcgg-rjx6
Release Date: 2025-01-20
Fix Resolution: vite - 4.5.6,5.4.12,6.0.9
Step up your Open Source Security Game with Mend here
CVE-2025-31486
Vulnerable Library - vite-5.4.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-5.4.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-5.4.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.
Publish Date: 2025-04-03
URL: CVE-2025-31486
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-04-03
Fix Resolution: 5.4.17
Step up your Open Source Security Game with Mend here
CVE-2025-31125
Vulnerable Library - vite-5.4.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-5.4.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-5.4.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Publish Date: 2025-03-31
URL: CVE-2025-31125
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-03-31
Fix Resolution: 5.4.16
Step up your Open Source Security Game with Mend here
CVE-2025-30208
Vulnerable Library - vite-5.4.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-5.4.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-5.4.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. "@fs" denies access to files outside of Vite serving allow list. Adding "?raw??" or "?import&raw??" to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as "?" are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using "--host" or "server.host" config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Publish Date: 2025-03-24
URL: CVE-2025-30208
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-03-24
Fix Resolution: 5.4.15
Step up your Open Source Security Game with Mend here