vite allows server.fs.deny bypass via backslash on Windows

Description

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Recommendation

Update the vite package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 5.2.6, <= 5.4.20

  >= 4.5.3, < 5.0.0

  >= 3.2.9, < 4.0.0

  >= 2.9.18, < 3.0.0

  >= 6.0.0, <= 6.4.0

  >= 7.0.0, <= 7.0.7

  >= 7.1.0, <= 7.1.10**

• Patched version(s): **5.4.21

  6.4.1

  7.0.8

  7.1.11**

References

• GHSA-93m4-6634-74q7
• CVE-2025-62522
• CWE-22
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Vite has an `server.fs.deny` bypass with an invalid `request-target` - CVE-2025-32395
• Vite allows server.fs.deny to be bypassed with .svg or relative paths - CVE-2025-31486
• Vite bypasses server.fs.deny when using ?raw?? - CVE-2025-30208
• qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - CVE-2025-15284

Tags:

npm

vite