Search for packages
| purl | pkg:npm/vite@4.4.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3s4w-2k7z-xkaa
Aliases: CVE-2023-49293 GHSA-92r3-m2mg-pj97 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability. |
Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-6cep-dhsy-qkhg
Aliases: CVE-2024-45812 GHSA-64vr-g452-qvp3 |
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS We discovered a DOM Clobbering vulnerability in Vite when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. Note that, we have identified similar security issues in Webpack: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986 |
Affected by 0 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-b2m1-kmdu-ykgt
Aliases: CVE-2025-58752 GHSA-jqfw-vq24-v9c3 |
Vite's `server.fs` settings were not applied to HTML files Any HTML files on the machine were served regardless of the `server.fs` settings. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-ccy3-s9ra-uub9
Aliases: CVE-2024-45811 GHSA-9cwx-2883-4wfx |
Vite's `server.fs.deny` is bypassed when using `?import&raw` The contents of arbitrary files can be returned to the browser. |
Affected by 0 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-cwjw-gp95-5uad
Aliases: CVE-2025-31125 GHSA-4r4m-qw57-chr8 |
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query The contents of arbitrary files can be returned to the browser. |
Affected by 6 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 1 other vulnerability. Affected by 7 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-gdv1-n78f-tud7
Aliases: CVE-2025-24010 GHSA-vg6x-rcgg-rjx6 |
Websites were able to send any requests to the development server and read the response in vite Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. > [!WARNING] > This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network. |
Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-gefx-xng3-k3f4
Aliases: CVE-2025-58751 GHSA-g4jq-h2w9-997c |
Vite middleware may serve files starting with the same name with the public directory Files starting with the same name with the public directory were served bypassing the `server.fs` settings. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-jxyb-k93s-g3e8
Aliases: CVE-2025-30208 GHSA-x574-m823-4x7w |
Vite bypasses server.fs.deny when using ?raw?? The contents of arbitrary files can be returned to the browser. |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-mbnq-b7vj-jyhb
Aliases: CVE-2024-23331 GHSA-c24v-8rfc-w8vw |
Improper Access Control Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server does not discriminate; a block list bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers. |
Affected by 12 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-na8b-yqpp-p7fj
Aliases: CVE-2025-46565 GHSA-859w-5945-r5v3 |
Duplicate This advisory duplicates another. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-q59b-2z2s-mfbt
Aliases: CVE-2025-31486 GHSA-xcj6-pq6g-qj4x |
Vite allows server.fs.deny to be bypassed with .svg or relative paths The contents of arbitrary files can be returned to the browser. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-t716-h35b-9kf2
Aliases: CVE-2025-32395 GHSA-356w-63v5-8wf4 |
Vite has an `server.fs.deny` bypass with an invalid `request-target` The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-vyjc-1f5b-p7cs
Aliases: CVE-2024-31207 GHSA-8jhw-289h-jh2g |
Vite's `server.fs.deny` did not deny requests for patterns with directories. [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/**/*`. |
Affected by 12 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-zn73-3dmx-vye4
Aliases: CVE-2026-39365 GHSA-4w7w-66w2-5vf9 |
vite: Vite: Information disclosure via path traversal in dev server's .map request handling |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||