Vite allows server.fs.deny to be bypassed with .svg or relative paths

Description

The contents of arbitrary files can be returned to the browser.

Recommendation

Update the vite package to the latest compatible version. Followings are version details:

• Affected version(s): **< 4.5.12

  >= 5.0.0, < 5.4.17

  >= 6.0.0, < 6.0.14

  >= 6.1.0, < 6.1.4

  >= 6.2.0, < 6.2.5**

• Patched version(s): **4.5.12

  5.4.17

  6.0.14

  6.1.4

  6.2.5**

References

• GHSA-xcj6-pq6g-qj4x
• CVE-2025-31486
• CWE-200
• CWE-284
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query - CVE-2025-31125
• vite allows server.fs.deny bypass via backslash on Windows - CVE-2025-62522
• Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
• Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) - CVE-2023-34092

You might also like:

Exploiting Server Version Disclosure

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

vite