Vite has an `server.fs.deny` bypass with an invalid `request-target`
- Severity:
- Medium
Description
The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **< 4.5.13 >= 5.0.0, < 5.4.18 >= 6.0.0, < 6.0.15 >= 6.1.0, < 6.1.5 >= 6.2.0, < 6.2.6** Patched version(s): **4.5.13 5.4.18 6.0.15 6.1.5 6.2.6**
References
Related Issues
- Vite middleware may serve files starting with the same name with the public directory - CVE-2025-58751
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
- Vite allows server.fs.deny to be bypassed with .svg or relative paths - CVE-2025-31486
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on April 11, 2025