Search for packages
| purl | pkg:npm/vite@7.1.10 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3szj-s4z5-k3cp
Aliases: CVE-2025-62522 GHSA-93m4-6634-74q7 |
Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11. |
Affected by 3 other vulnerabilities. |
|
VCID-nh6q-ms28-13ee
Aliases: CVE-2026-39365 GHSA-4w7w-66w2-5vf9 |
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ttfe-2bcz-f3e4
Aliases: CVE-2026-39364 GHSA-v2wj-q39q-566r |
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-xn8m-3ck8-fufm
Aliases: CVE-2026-39363 GHSA-p9ff-h696-f583 |
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T21:54:41.122945+00:00 | GitLab Importer | Affected by | VCID-xn8m-3ck8-fufm | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2026-39363.yml | 38.6.0 |
| 2026-06-12T21:54:28.332288+00:00 | GitLab Importer | Affected by | VCID-ttfe-2bcz-f3e4 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2026-39364.yml | 38.6.0 |
| 2026-06-12T21:54:22.565986+00:00 | GitLab Importer | Affected by | VCID-nh6q-ms28-13ee | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2026-39365.yml | 38.6.0 |
| 2026-06-11T20:36:35.387249+00:00 | GHSA Importer | Affected by | VCID-3szj-s4z5-k3cp | https://github.com/advisories/GHSA-93m4-6634-74q7 | 38.6.0 |