VulnerableCode Package Details - pkg:npm/vite@5.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-1r3y-ngau-bff1 Aliases: CVE-2025-30208 GHSA-x574-m823-4x7w		5.4.15 Affected by 0 other vulnerabilities. 6.0.12 Affected by 0 other vulnerabilities. 6.1.2 Affected by 0 other vulnerabilities. 6.2.3 Affected by 0 other vulnerabilities.
VCID-1u9w-ucbx-dqgv Aliases: CVE-2025-46565 GHSA-859w-5945-r5v3		5.4.19 Affected by 0 other vulnerabilities. 6.1.6 Affected by 0 other vulnerabilities. 6.2.7 Affected by 0 other vulnerabilities. 6.3.4 Affected by 0 other vulnerabilities.
VCID-6zrj-xfa9-53bf Aliases: CVE-2025-31486 GHSA-xcj6-pq6g-qj4x		5.4.17 Affected by 0 other vulnerabilities. 6.0.14 Affected by 0 other vulnerabilities. 6.1.4 Affected by 0 other vulnerabilities. 6.2.5 Affected by 0 other vulnerabilities.
VCID-8qat-9kwy-sfew Aliases: CVE-2025-24010 GHSA-vg6x-rcgg-rjx6		5.4.12 Affected by 0 other vulnerabilities. 6.0.9 Affected by 0 other vulnerabilities.
VCID-ejgf-18s2-jfcv Aliases: CVE-2025-31125 GHSA-4r4m-qw57-chr8		5.4.16 Affected by 0 other vulnerabilities. 6.0.13 Affected by 0 other vulnerabilities. 6.1.3 Affected by 0 other vulnerabilities. 6.2.4 Affected by 0 other vulnerabilities.
VCID-mfry-5z57-n7ad Aliases: CVE-2024-45811 GHSA-9cwx-2883-4wfx		5.1.8 Affected by 0 other vulnerabilities. 5.2.14 Affected by 0 other vulnerabilities. 5.3.6 Affected by 0 other vulnerabilities. 5.4.6 Affected by 0 other vulnerabilities.
VCID-mfye-h829-fybu Aliases: CVE-2024-45812 GHSA-64vr-g452-qvp3		5.1.8 Affected by 0 other vulnerabilities. 5.2.14 Affected by 0 other vulnerabilities. 5.3.6 Affected by 0 other vulnerabilities. 5.4.6 Affected by 0 other vulnerabilities.
VCID-qqmk-huxn-kkcq Aliases: CVE-2023-49293 GHSA-92r3-m2mg-pj97	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.	5.0.5 Affected by 0 other vulnerabilities.
VCID-s6e9-86vw-kqej Aliases: CVE-2024-23331 GHSA-c24v-8rfc-w8vw	Improper Access Control Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server does not discriminate; a block list bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.	5.0.12 Affected by 0 other vulnerabilities.
VCID-w9wp-8fne-mucm Aliases: CVE-2025-32395 GHSA-356w-63v5-8wf4		5.4.18 Affected by 0 other vulnerabilities. 6.0.15 Affected by 0 other vulnerabilities. 6.1.5 Affected by 0 other vulnerabilities. 6.2.6 Affected by 0 other vulnerabilities.
VCID-xbcf-jm6w-vyeu Aliases: GHSA-8jhw-289h-jh2g	Vite's `server.fs.deny` did not deny requests for patterns with directories. [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/*/`.	5.0.13 Affected by 0 other vulnerabilities. 5.1.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.2.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-1r3y-ngau-bff1
Aliases:
CVE-2025-30208
GHSA-x574-m823-4x7w

5.4.15
Affected by 0 other vulnerabilities.

6.0.12
Affected by 0 other vulnerabilities.

6.1.2
Affected by 0 other vulnerabilities.

6.2.3
Affected by 0 other vulnerabilities.

VCID-1u9w-ucbx-dqgv
Aliases:
CVE-2025-46565
GHSA-859w-5945-r5v3

5.4.19
Affected by 0 other vulnerabilities.

6.1.6
Affected by 0 other vulnerabilities.

6.2.7
Affected by 0 other vulnerabilities.

6.3.4
Affected by 0 other vulnerabilities.

VCID-6zrj-xfa9-53bf
Aliases:
CVE-2025-31486
GHSA-xcj6-pq6g-qj4x

5.4.17
Affected by 0 other vulnerabilities.

6.0.14
Affected by 0 other vulnerabilities.

6.1.4
Affected by 0 other vulnerabilities.

6.2.5
Affected by 0 other vulnerabilities.

VCID-8qat-9kwy-sfew
Aliases:
CVE-2025-24010
GHSA-vg6x-rcgg-rjx6

5.4.12
Affected by 0 other vulnerabilities.

6.0.9
Affected by 0 other vulnerabilities.

VCID-ejgf-18s2-jfcv
Aliases:
CVE-2025-31125
GHSA-4r4m-qw57-chr8

5.4.16
Affected by 0 other vulnerabilities.

6.0.13
Affected by 0 other vulnerabilities.

6.1.3
Affected by 0 other vulnerabilities.

6.2.4
Affected by 0 other vulnerabilities.

VCID-mfry-5z57-n7ad
Aliases:
CVE-2024-45811
GHSA-9cwx-2883-4wfx

5.1.8
Affected by 0 other vulnerabilities.

5.2.14
Affected by 0 other vulnerabilities.

5.3.6
Affected by 0 other vulnerabilities.

5.4.6
Affected by 0 other vulnerabilities.

VCID-mfye-h829-fybu
Aliases:
CVE-2024-45812
GHSA-64vr-g452-qvp3

5.1.8
Affected by 0 other vulnerabilities.

5.2.14
Affected by 0 other vulnerabilities.

5.3.6
Affected by 0 other vulnerabilities.

5.4.6
Affected by 0 other vulnerabilities.

VCID-qqmk-huxn-kkcq
Aliases:
CVE-2023-49293
GHSA-92r3-m2mg-pj97

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.

5.0.5
Affected by 0 other vulnerabilities.

VCID-s6e9-86vw-kqej
Aliases:
CVE-2024-23331
GHSA-c24v-8rfc-w8vw

Improper Access Control Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server does not discriminate; a block list bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.

5.0.12
Affected by 0 other vulnerabilities.

VCID-w9wp-8fne-mucm
Aliases:
CVE-2025-32395
GHSA-356w-63v5-8wf4

5.4.18
Affected by 0 other vulnerabilities.

6.0.15
Affected by 0 other vulnerabilities.

6.1.5
Affected by 0 other vulnerabilities.

6.2.6
Affected by 0 other vulnerabilities.

VCID-xbcf-jm6w-vyeu
Aliases:
GHSA-8jhw-289h-jh2g

Vite's `server.fs.deny` did not deny requests for patterns with directories. [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/**/*`.

5.0.13
Affected by 0 other vulnerabilities.

5.1.7
Affected by 1 other vulnerability.

5.2.6
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T21:37:33.809874+00:00	GHSA Importer	Affected by	VCID-qqmk-huxn-kkcq	https://github.com/advisories/GHSA-92r3-m2mg-pj97	38.6.0
2026-05-31T19:21:21.338683+00:00	GitLab Importer	Affected by	VCID-1u9w-ucbx-dqgv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2025-46565.yml	38.6.0
2026-05-31T19:21:14.028655+00:00	GitLab Importer	Affected by	VCID-w9wp-8fne-mucm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2025-32395.yml	38.6.0
2026-05-31T19:21:10.349859+00:00	GitLab Importer	Affected by	VCID-6zrj-xfa9-53bf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2025-31486.yml	38.6.0
2026-05-31T19:21:06.679754+00:00	GitLab Importer	Affected by	VCID-ejgf-18s2-jfcv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2025-31125.yml	38.6.0
2026-05-31T19:21:04.807372+00:00	GitLab Importer	Affected by	VCID-1r3y-ngau-bff1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2025-30208.yml	38.6.0
2026-05-31T19:20:32.405178+00:00	GitLab Importer	Affected by	VCID-8qat-9kwy-sfew	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2025-24010.yml	38.6.0
2026-05-31T19:19:36.332823+00:00	GitLab Importer	Affected by	VCID-mfye-h829-fybu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2024-45812.yml	38.6.0
2026-05-31T19:19:36.007713+00:00	GitLab Importer	Affected by	VCID-mfry-5z57-n7ad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2024-45811.yml	38.6.0
2026-05-31T01:04:52.084242+00:00	GHSA Importer	Affected by	VCID-mfye-h829-fybu	https://github.com/advisories/GHSA-64vr-g452-qvp3	38.6.0
2026-05-31T01:04:51.524977+00:00	GHSA Importer	Affected by	VCID-mfry-5z57-n7ad	https://github.com/advisories/GHSA-9cwx-2883-4wfx	38.6.0
2026-05-31T01:01:50.945079+00:00	GHSA Importer	Affected by	VCID-s6e9-86vw-kqej	https://github.com/advisories/GHSA-c24v-8rfc-w8vw	38.6.0
2026-05-30T21:03:45.418087+00:00	GitLab Importer	Affected by	VCID-xbcf-jm6w-vyeu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/GHSA-8jhw-289h-jh2g.yml	38.6.0
2026-05-30T21:03:05.444612+00:00	GitLab Importer	Affected by	VCID-s6e9-86vw-kqej	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2024-23331.yml	38.6.0
2026-05-30T21:02:42.222070+00:00	GitLab Importer	Affected by	VCID-qqmk-huxn-kkcq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2023-49293.yml	38.6.0