Websites were able to send any requests to the development server and read the response in vite

Description

Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.

Recommendation

Update the vite package to the latest compatible version. Followings are version details:

• Affected version(s): **<= 4.5.5

  >= 5.0.0, <= 5.4.11

  >= 6.0.0, <= 6.0.8**

• Patched version(s): **4.5.6

  5.4.12

  6.0.9**

References

• GHSA-vg6x-rcgg-rjx6
• CVE-2025-24010
• CWE-1385
• CWE-346
• CWE-350
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A7

Related Issues

• Vite middleware may serve files starting with the same name with the public directory - CVE-2025-58751
• Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
• Vite allows server.fs.deny to be bypassed with .svg or relative paths - CVE-2025-31486
• Vite has an `server.fs.deny` bypass with an invalid `request-target` - CVE-2025-32395

Tags:

npm

vite