| 0 |
| url |
VCID-6cep-dhsy-qkhg |
| vulnerability_id |
VCID-6cep-dhsy-qkhg |
| summary |
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
We discovered a DOM Clobbering vulnerability in Vite when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
Note that, we have identified similar security issues in Webpack: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986 |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-45812 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00256 |
| scoring_system |
epss |
| scoring_elements |
0.49211 |
| published_at |
2026-06-08T12:55:00Z |
|
| 1 |
| value |
0.00256 |
| scoring_system |
epss |
| scoring_elements |
0.49241 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00256 |
| scoring_system |
epss |
| scoring_elements |
0.49259 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00256 |
| scoring_system |
epss |
| scoring_elements |
0.49248 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-45812 |
|
| 2 |
| reference_url |
https://github.com/vitejs/vite |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H |
|
| 1 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/vitejs/vite |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
| reference_url |
https://scnps.co/papers/sp23_domclob.pdf |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H |
|
| 1 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T13:57:07Z/ |
|
|
| url |
https://scnps.co/papers/sp23_domclob.pdf |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:npm/vite@4.5.5 |
| purl |
pkg:npm/vite@4.5.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@4.5.5 |
|
| 2 |
| url |
pkg:npm/vite@5.1.8 |
| purl |
pkg:npm/vite@5.1.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.1.8 |
|
| 3 |
|
| 4 |
|
| 5 |
| url |
pkg:npm/vite@5.3.6 |
| purl |
pkg:npm/vite@5.3.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.3.6 |
|
| 6 |
| url |
pkg:npm/vite@5.4.6 |
| purl |
pkg:npm/vite@5.4.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.4.6 |
|
|
| aliases |
CVE-2024-45812, GHSA-64vr-g452-qvp3
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6cep-dhsy-qkhg |
|
| 1 |
| url |
VCID-b2m1-kmdu-ykgt |
| vulnerability_id |
VCID-b2m1-kmdu-ykgt |
| summary |
Vite's `server.fs` settings were not applied to HTML files
Any HTML files on the machine were served regardless of the `server.fs` settings. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-58752 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.07975 |
| published_at |
2026-06-08T12:55:00Z |
|
| 1 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.08028 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.08042 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.08025 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-58752 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-58752, GHSA-jqfw-vq24-v9c3
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b2m1-kmdu-ykgt |
|
| 2 |
| url |
VCID-ccy3-s9ra-uub9 |
| vulnerability_id |
VCID-ccy3-s9ra-uub9 |
| summary |
Vite's `server.fs.deny` is bypassed when using `?import&raw`
The contents of arbitrary files can be returned to the browser. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-45811 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03081 |
| published_at |
2026-06-08T12:55:00Z |
|
| 1 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03101 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03153 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03144 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-45811 |
|
| 2 |
| reference_url |
https://github.com/vitejs/vite |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/vitejs/vite |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx |
| reference_id |
GHSA-9cwx-2883-4wfx |
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T13:59:58Z/ |
|
|
| url |
https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:npm/vite@4.5.5 |
| purl |
pkg:npm/vite@4.5.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@4.5.5 |
|
| 2 |
| url |
pkg:npm/vite@5.1.8 |
| purl |
pkg:npm/vite@5.1.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.1.8 |
|
| 3 |
|
| 4 |
|
| 5 |
| url |
pkg:npm/vite@5.3.6 |
| purl |
pkg:npm/vite@5.3.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.3.6 |
|
| 6 |
| url |
pkg:npm/vite@5.4.6 |
| purl |
pkg:npm/vite@5.4.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.4.6 |
|
|
| aliases |
CVE-2024-45811, GHSA-9cwx-2883-4wfx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ccy3-s9ra-uub9 |
|
| 3 |
|
| 4 |
| url |
VCID-gdv1-n78f-tud7 |
| vulnerability_id |
VCID-gdv1-n78f-tud7 |
| summary |
Websites were able to send any requests to the development server and read the response in vite
Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.
> [!WARNING]
> This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-24010 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25883 |
| published_at |
2026-06-05T12:55:00Z |
|
| 1 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25773 |
| published_at |
2026-06-08T12:55:00Z |
|
| 2 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25831 |
| published_at |
2026-06-07T12:55:00Z |
|
| 3 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25875 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-24010 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:npm/vite@6.0.9 |
| purl |
pkg:npm/vite@6.0.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 3 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 4 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 5 |
| vulnerability |
VCID-p1jn-hqj6-j7ca |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@6.0.9 |
|
|
| aliases |
CVE-2025-24010, GHSA-vg6x-rcgg-rjx6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gdv1-n78f-tud7 |
|
| 5 |
| url |
VCID-gefx-xng3-k3f4 |
| vulnerability_id |
VCID-gefx-xng3-k3f4 |
| summary |
Vite middleware may serve files starting with the same name with the public directory
Files starting with the same name with the public directory were served bypassing the `server.fs` settings. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-58751 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01434 |
| scoring_system |
epss |
| scoring_elements |
0.81049 |
| published_at |
2026-06-08T12:55:00Z |
|
| 1 |
| value |
0.01434 |
| scoring_system |
epss |
| scoring_elements |
0.81054 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.01434 |
| scoring_system |
epss |
| scoring_elements |
0.81058 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.01434 |
| scoring_system |
epss |
| scoring_elements |
0.81053 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-58751 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-58751, GHSA-g4jq-h2w9-997c
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gefx-xng3-k3f4 |
|
| 6 |
|
| 7 |
| url |
VCID-mbnq-b7vj-jyhb |
| vulnerability_id |
VCID-mbnq-b7vj-jyhb |
| summary |
Improper Access Control
Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server does not discriminate; a block list bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-23331 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00479 |
| scoring_system |
epss |
| scoring_elements |
0.65452 |
| published_at |
2026-06-08T12:55:00Z |
|
| 1 |
| value |
0.00479 |
| scoring_system |
epss |
| scoring_elements |
0.65463 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00479 |
| scoring_system |
epss |
| scoring_elements |
0.65475 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00479 |
| scoring_system |
epss |
| scoring_elements |
0.65464 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-23331 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/vite@4.5.2 |
| purl |
pkg:npm/vite@4.5.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 8 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 9 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 10 |
| vulnerability |
VCID-vyjc-1f5b-p7cs |
|
| 11 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@4.5.2 |
|
| 1 |
|
| 2 |
| url |
pkg:npm/vite@5.0.12 |
| purl |
pkg:npm/vite@5.0.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 8 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 9 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 10 |
| vulnerability |
VCID-vyjc-1f5b-p7cs |
|
| 11 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.0.12 |
|
| 3 |
| url |
pkg:npm/vite@5.1.0-beta.0 |
| purl |
pkg:npm/vite@5.1.0-beta.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 8 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 9 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 10 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.1.0-beta.0 |
|
|
| aliases |
CVE-2024-23331, GHSA-c24v-8rfc-w8vw
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mbnq-b7vj-jyhb |
|
| 8 |
| url |
VCID-n143-1uka-s3eg |
| vulnerability_id |
VCID-n143-1uka-s3eg |
| summary |
Use of Incorrectly-Resolved Name or Reference
Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5, vite@3.2.7, and vite@2.9.16. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/vite@4.3.9 |
| purl |
pkg:npm/vite@4.3.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-mbnq-b7vj-jyhb |
|
| 8 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 9 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 10 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 11 |
| vulnerability |
VCID-vyjc-1f5b-p7cs |
|
| 12 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@4.3.9 |
|
|
| aliases |
CVE-2023-34092, GHSA-353f-5xf4-qw67
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n143-1uka-s3eg |
|
| 9 |
|
| 10 |
|
| 11 |
| url |
VCID-t716-h35b-9kf2 |
| vulnerability_id |
VCID-t716-h35b-9kf2 |
| summary |
Vite has an `server.fs.deny` bypass with an invalid `request-target`
The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-32395 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.03166 |
| scoring_system |
epss |
| scoring_elements |
0.87192 |
| published_at |
2026-06-05T12:55:00Z |
|
| 1 |
| value |
0.03166 |
| scoring_system |
epss |
| scoring_elements |
0.87183 |
| published_at |
2026-06-08T12:55:00Z |
|
| 2 |
| value |
0.03166 |
| scoring_system |
epss |
| scoring_elements |
0.87187 |
| published_at |
2026-06-07T12:55:00Z |
|
| 3 |
| value |
0.03166 |
| scoring_system |
epss |
| scoring_elements |
0.8719 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-32395 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-32395, GHSA-356w-63v5-8wf4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t716-h35b-9kf2 |
|
| 12 |
| url |
VCID-vyjc-1f5b-p7cs |
| vulnerability_id |
VCID-vyjc-1f5b-p7cs |
| summary |
Vite's `server.fs.deny` did not deny requests for patterns with directories.
[Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/**/*`. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-31207 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.47152 |
| published_at |
2026-06-08T12:55:00Z |
|
| 1 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.47182 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.47201 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.47198 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-31207 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/vite@4.5.3 |
| purl |
pkg:npm/vite@4.5.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-kb9w-txmc-pbhq |
|
| 8 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 9 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 10 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 11 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@4.5.3 |
|
| 1 |
| url |
pkg:npm/vite@5.0.13 |
| purl |
pkg:npm/vite@5.0.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 8 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 9 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 10 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.0.13 |
|
| 2 |
| url |
pkg:npm/vite@5.1.7 |
| purl |
pkg:npm/vite@5.1.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 8 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 9 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 10 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.1.7 |
|
| 3 |
| url |
pkg:npm/vite@5.2.6 |
| purl |
pkg:npm/vite@5.2.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-kb9w-txmc-pbhq |
|
| 8 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 9 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 10 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 11 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.2.6 |
|
|
| aliases |
CVE-2024-31207, GHSA-8jhw-289h-jh2g
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vyjc-1f5b-p7cs |
|
| 13 |
|