Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/vite@4.5.7
purl pkg:npm/vite@4.5.7
Next non-vulnerable version 6.4.2
Latest non-vulnerable version 8.0.5
Risk 10.0
Vulnerabilities affecting this package (8)
Vulnerability Summary Fixed by
VCID-b2m1-kmdu-ykgt
Aliases:
CVE-2025-58752
GHSA-jqfw-vq24-v9c3
Vite's `server.fs` settings were not applied to HTML files Any HTML files on the machine were served regardless of the `server.fs` settings.
5.4.20
Affected by 2 other vulnerabilities.
6.3.6
Affected by 2 other vulnerabilities.
7.0.7
Affected by 3 other vulnerabilities.
7.1.5
Affected by 3 other vulnerabilities.
VCID-cwjw-gp95-5uad
Aliases:
CVE-2025-31125
GHSA-4r4m-qw57-chr8
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query The contents of arbitrary files can be returned to the browser.
4.5.11
Affected by 6 other vulnerabilities.
5.0.0-beta.0
Affected by 3 other vulnerabilities.
5.4.16
Affected by 6 other vulnerabilities.
6.0.0-alpha.0
Affected by 1 other vulnerability.
6.0.13
Affected by 7 other vulnerabilities.
6.1.0-beta.0
Affected by 5 other vulnerabilities.
6.1.3
Affected by 7 other vulnerabilities.
6.2.0-beta.0
Affected by 4 other vulnerabilities.
6.2.4
Affected by 7 other vulnerabilities.
6.3.0-beta.0
Affected by 4 other vulnerabilities.
VCID-gefx-xng3-k3f4
Aliases:
CVE-2025-58751
GHSA-g4jq-h2w9-997c
Vite middleware may serve files starting with the same name with the public directory Files starting with the same name with the public directory were served bypassing the `server.fs` settings.
5.4.20
Affected by 2 other vulnerabilities.
6.3.6
Affected by 2 other vulnerabilities.
7.0.7
Affected by 3 other vulnerabilities.
7.1.5
Affected by 3 other vulnerabilities.
VCID-jxyb-k93s-g3e8
Aliases:
CVE-2025-30208
GHSA-x574-m823-4x7w
Vite bypasses server.fs.deny when using ?raw?? The contents of arbitrary files can be returned to the browser.
4.5.10
Affected by 7 other vulnerabilities.
5.4.15
Affected by 7 other vulnerabilities.
6.0.12
Affected by 8 other vulnerabilities.
6.1.2
Affected by 8 other vulnerabilities.
6.2.3
Affected by 8 other vulnerabilities.
VCID-na8b-yqpp-p7fj
Aliases:
CVE-2025-46565
GHSA-859w-5945-r5v3
Duplicate This advisory duplicates another.
4.5.14
Affected by 3 other vulnerabilities.
5.0.0-beta.0
Affected by 3 other vulnerabilities.
5.4.19
Affected by 3 other vulnerabilities.
6.0.0-alpha.0
Affected by 1 other vulnerability.
6.1.6
Affected by 4 other vulnerabilities.
6.2.0-beta.0
Affected by 4 other vulnerabilities.
6.2.7
Affected by 4 other vulnerabilities.
6.3.0-beta.0
Affected by 4 other vulnerabilities.
6.3.4
Affected by 4 other vulnerabilities.
VCID-q59b-2z2s-mfbt
Aliases:
CVE-2025-31486
GHSA-xcj6-pq6g-qj4x
Vite allows server.fs.deny to be bypassed with .svg or relative paths The contents of arbitrary files can be returned to the browser.
4.5.12
Affected by 5 other vulnerabilities.
5.4.17
Affected by 5 other vulnerabilities.
6.0.14
Affected by 6 other vulnerabilities.
6.1.4
Affected by 6 other vulnerabilities.
6.2.5
Affected by 6 other vulnerabilities.
VCID-t716-h35b-9kf2
Aliases:
CVE-2025-32395
GHSA-356w-63v5-8wf4
Vite has an `server.fs.deny` bypass with an invalid `request-target` The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.
4.5.13
Affected by 4 other vulnerabilities.
5.4.18
Affected by 4 other vulnerabilities.
6.0.15
Affected by 5 other vulnerabilities.
6.1.5
Affected by 5 other vulnerabilities.
6.2.6
Affected by 5 other vulnerabilities.
VCID-zn73-3dmx-vye4
Aliases:
CVE-2026-39365
GHSA-4w7w-66w2-5vf9
vite: Vite: Information disclosure via path traversal in dev server's .map request handling
6.4.2
Affected by 0 other vulnerabilities.
7.0.0-beta.0
Affected by 0 other vulnerabilities.
7.3.2
Affected by 0 other vulnerabilities.
8.0.0-beta.0
Affected by 0 other vulnerabilities.
8.0.5
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T07:47:23.921762+00:00 GitLab Importer Affected by VCID-zn73-3dmx-vye4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2026-39365.yml 38.6.0
2026-06-06T06:05:31.996242+00:00 GitLab Importer Affected by VCID-b2m1-kmdu-ykgt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2025-58752.yml 38.6.0
2026-06-06T06:05:22.492111+00:00 GitLab Importer Affected by VCID-gefx-xng3-k3f4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2025-58751.yml 38.6.0
2026-06-06T05:48:48.953304+00:00 GitLab Importer Affected by VCID-na8b-yqpp-p7fj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2025-46565.yml 38.6.0
2026-06-06T05:46:51.109245+00:00 GitLab Importer Affected by VCID-t716-h35b-9kf2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2025-32395.yml 38.6.0
2026-06-06T05:46:03.211107+00:00 GitLab Importer Affected by VCID-q59b-2z2s-mfbt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2025-31486.yml 38.6.0
2026-06-06T05:45:15.344694+00:00 GitLab Importer Affected by VCID-cwjw-gp95-5uad https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2025-31125.yml 38.6.0
2026-06-06T05:44:45.411750+00:00 GitLab Importer Affected by VCID-jxyb-k93s-g3e8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2025-30208.yml 38.6.0