Vite has an `server.fs.deny` bypass with an invalid `request-target`
- Severity:
- Medium
Description
The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **< 4.5.13 >= 5.0.0, < 5.4.18 >= 6.0.0, < 6.0.15 >= 6.1.0, < 6.1.5 >= 6.2.0, < 6.2.6** Patched version(s): **4.5.13 5.4.18 6.0.15 6.1.5 6.2.6**
References
Related Issues
- vite allows server.fs.deny bypass via backslash on Windows - CVE-2025-62522
- Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query - CVE-2025-31125
- Vite bypasses server.fs.deny when using ?raw?? - CVE-2025-30208
- Vite allows server.fs.deny to be bypassed with .svg or relative paths - CVE-2025-31486
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on April 11, 2025