VulnerableCode Package Details - pkg:npm/vite@4.5.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-s6e9-86vw-kqej Aliases: CVE-2024-23331 GHSA-c24v-8rfc-w8vw	Improper Access Control Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server does not discriminate; a block list bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.	4.5.2 Affected by 0 other vulnerabilities. 5.0.12 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-s6e9-86vw-kqej
Aliases:
CVE-2024-23331
GHSA-c24v-8rfc-w8vw

Improper Access Control Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server does not discriminate; a block list bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.

4.5.2
Affected by 0 other vulnerabilities.

5.0.12
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-qqmk-huxn-kkcq	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.	CVE-2023-49293 GHSA-92r3-m2mg-pj97

Vulnerability

Summary

Aliases

VCID-qqmk-huxn-kkcq

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.

CVE-2023-49293
GHSA-92r3-m2mg-pj97

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T21:37:33.876378+00:00	GHSA Importer	Fixing	VCID-qqmk-huxn-kkcq	https://github.com/advisories/GHSA-92r3-m2mg-pj97	38.6.0
2026-05-31T11:06:19.786794+00:00	GithubOSV Importer	Fixing	VCID-qqmk-huxn-kkcq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-92r3-m2mg-pj97/GHSA-92r3-m2mg-pj97.json	38.6.0
2026-05-31T01:01:51.001644+00:00	GHSA Importer	Affected by	VCID-s6e9-86vw-kqej	https://github.com/advisories/GHSA-c24v-8rfc-w8vw	38.6.0
2026-05-30T21:03:05.440631+00:00	GitLab Importer	Affected by	VCID-s6e9-86vw-kqej	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2024-23331.yml	38.6.0
2026-05-30T21:02:42.248930+00:00	GitLab Importer	Fixing	VCID-qqmk-huxn-kkcq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2023-49293.yml	38.6.0