Vite has an `server.fs.deny` bypass with an invalid `request-target`
- Severity:
- Medium
Description
The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **< 4.5.13 >= 5.0.0, < 5.4.18 >= 6.0.0, < 6.0.15 >= 6.1.0, < 6.1.5 >= 6.2.0, < 6.2.6** Patched version(s): **4.5.13 5.4.18 6.0.15 6.1.5 6.2.6**
References
Related Issues
- Follow Redirects improperly handles URLs in the url.parse() function - CVE-2023-26159
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- AngularJS allows attackers to bypass common image source restrictions - CVE-2024-8372
- vite allows server.fs.deny bypass via backslash on Windows - CVE-2025-62522
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on April 11, 2025