Websites were able to send any requests to the development server and read the response in vite
- Severity:
- Medium
Description
Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **<= 4.5.5 >= 5.0.0, <= 5.4.11 >= 6.0.0, <= 6.0.8** Patched version(s): **4.5.6 5.4.12 6.0.9**
References
Related Issues
- Astro Development Server has Arbitrary Local File Read - CVE-2025-64757
- Opening a malicious website while running a Nuxt dev server could allow read-only access to code - @nuxt/vite-builder - CVE-2025-24360
- Vite's `server.fs` settings were not applied to HTML files - CVE-2025-58752
- vite allows server.fs.deny bypass via backslash on Windows - CVE-2025-62522
You might also like:
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on February 07, 2025


