Description
The contents of arbitrary files can be returned to the browser.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, <= 5.1.7 >= 5.2.0, < 5.2.14 <= 3.2.10 >= 4.0.0, <= 4.5.3 >= 5.3.0, <= 5.3.5 >= 5.4.0, <= 5.4.5** Patched version(s): **5.1.8 5.2.14 3.2.11 4.5.4 5.3.6 5.4.6**
References
Related Issues
- Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query - CVE-2025-31125
- Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - CVE-2024-23331
- Vite bypasses server.fs.deny when using ?raw?? - CVE-2025-30208
- Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) - CVE-2023-34092
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on September 19, 2024