Websites were able to send any requests to the development server and read the response in vite

Description

Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.

Recommendation

Update the vite package to the latest compatible version. Followings are version details:

• Affected version(s): **<= 4.5.5

  >= 5.0.0, <= 5.4.11

  >= 6.0.0, <= 6.0.8**

• Patched version(s): **4.5.6

  5.4.12

  6.0.9**

References

• GHSA-vg6x-rcgg-rjx6
• CVE-2025-24010
• CWE-1385
• CWE-346
• CWE-350
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A7

Related Issues

• Opening a malicious website while running a Nuxt dev server could allow read-only access to code - @nuxt/vite-builder - CVE-2025-24360
• Astro Development Server has Arbitrary Local File Read - CVE-2025-64757
• Vite's `server.fs` settings were not applied to HTML files - CVE-2025-58752
• Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

vite