Vite has an `server.fs.deny` bypass with an invalid `request-target`

Description

The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.

Recommendation

Update the vite package to the latest compatible version. Followings are version details:

• Affected version(s): **< 4.5.13

  >= 5.0.0, < 5.4.18

  >= 6.0.0, < 6.0.15

  >= 6.1.0, < 6.1.5

  >= 6.2.0, < 6.2.6**

• Patched version(s): **4.5.13

  5.4.18

  6.0.15

  6.1.5

  6.2.6**

References

• GHSA-356w-63v5-8wf4
• CVE-2025-32395
• CWE-200
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query - CVE-2025-31125
• vite allows server.fs.deny bypass via backslash on Windows - CVE-2025-62522
• Vite bypasses server.fs.deny when using ?raw?? - CVE-2025-30208
• Vite allows server.fs.deny to be bypassed with .svg or relative paths - CVE-2025-31486

You might also like:

Exploiting Server Version Disclosure

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Update Cheat Sheet for Developers

Tags:

npm

vite