Search for packages
| purl | pkg:npm/vite@2.7.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4fzm-kvpq-7kcm
Aliases: CVE-2024-31207 GHSA-8jhw-289h-jh2g |
Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18. |
Affected by 12 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-53we-mdcx-bbfr
Aliases: CVE-2024-45812 GHSA-64vr-g452-qvp3 |
Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`. However, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of `cjs`, `iife`, or `umd`) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-6mrd-hwmy-4yay
Aliases: CVE-2025-31125 GHSA-4r4m-qw57-chr8 |
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11. |
Affected by 6 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 1 other vulnerability. Affected by 7 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-84n3-jwnn-6kc4
Aliases: CVE-2025-31486 GHSA-xcj6-pq6g-qj4x |
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-bn49-7c61-27fp
Aliases: CVE-2025-46565 GHSA-859w-5945-r5v3 |
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-g8z2-qvuv-b7da
Aliases: CVE-2025-24010 GHSA-vg6x-rcgg-rjx6 |
Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6. |
Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-h2jq-e6kt-v3f9
Aliases: CVE-2025-58752 GHSA-jqfw-vq24-v9c3 |
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-h3c2-mbd1-zua6
Aliases: CVE-2025-58751 GHSA-g4jq-h2w9-997c |
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-jhy2-cnvt-nyg1
Aliases: CVE-2024-45811 GHSA-9cwx-2883-4wfx |
Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-nh6q-ms28-13ee
Aliases: CVE-2026-39365 GHSA-4w7w-66w2-5vf9 |
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-w4t6-jjc1-afac
Aliases: CVE-2025-32395 GHSA-356w-63v5-8wf4 |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
|
VCID-wf6g-h5dq-1qg3
Aliases: CVE-2022-35204 GHSA-mv48-hcvh-8jj8 |
Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service |
Affected by 13 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-xrg5-ae14-c3e1
Aliases: CVE-2025-30208 GHSA-x574-m823-4x7w |
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue. |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-zhj7-qfr7-5ubt
Aliases: CVE-2024-23331 GHSA-c24v-8rfc-w8vw |
Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers. |
Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 11 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||