Vite allows server.fs.deny to be bypassed with .svg or relative paths

Description

The contents of arbitrary files can be returned to the browser.

Recommendation

Update the vite package to the latest compatible version. Followings are version details:

• Affected version(s): **< 4.5.12

  >= 5.0.0, < 5.4.17

  >= 6.0.0, < 6.0.14

  >= 6.1.0, < 6.1.4

  >= 6.2.0, < 6.2.5**

• Patched version(s): **4.5.12

  5.4.17

  6.0.14

  6.1.4

  6.2.5**

References

• GHSA-xcj6-pq6g-qj4x
• CVE-2025-31486
• CWE-200
• CWE-284
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Vite XSS vulnerability in `server.transformIndexHtml` via URL payload - CVE-2023-49293
• CodeceptJS's incomprehensive sanitation can lead to Command Injection - CVE-2025-57285
• DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware - CVE-2025-59037
• Vite middleware may serve files starting with the same name with the public directory - CVE-2025-58751

Tags:

npm

vite