Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Description

The contents of arbitrary files can be returned to the browser.

Recommendation

Update the vite package to the latest compatible version. Followings are version details:

• Affected version(s): **< 4.5.11

  >= 5.0.0, < 5.4.16

  >= 6.0.0, < 6.0.13

  >= 6.1.0, < 6.1.3

  >= 6.2.0, < 6.2.4**

• Patched version(s): **4.5.11

  5.4.16

  6.0.13

  6.1.3

  6.2.4**

References

• GHSA-4r4m-qw57-chr8
• www.cisa.gov
• CVE-2025-31125
• CWE-200
• CWE-284
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Vite's `server.fs.deny` is bypassed when using `?import&raw` - CVE-2024-45811
• Vite allows server.fs.deny to be bypassed with .svg or relative paths - CVE-2025-31486
• Vite bypasses server.fs.deny when using ?raw?? - CVE-2025-30208
• Vite has an `server.fs.deny` bypass with an invalid `request-target` - CVE-2025-32395

Tags:

npm

vite