Vite has an `server.fs.deny` bypass with an invalid `request-target`
- Severity:
- Medium
Description
The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **< 4.5.13 >= 5.0.0, < 5.4.18 >= 6.0.0, < 6.0.15 >= 6.1.0, < 6.1.5 >= 6.2.0, < 6.2.6** Patched version(s): **4.5.13 5.4.18 6.0.15 6.1.5 6.2.6**
References
Related Issues
- Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query - CVE-2025-31125
- vite allows server.fs.deny bypass via backslash on Windows - CVE-2025-62522
- Parse Server has a rate limit bypass via batch request endpoint - CVE-2026-30972
- Vite bypasses server.fs.deny when using ?raw?? - CVE-2025-30208
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on April 11, 2025