CVE-2025-24010

Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6	Exploit Third Party Advisory Mitigation

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vitejs:vite::::::node.js::*
	cpe:2.3:a:vitejs:vite::::::node.js::*
	cpe:2.3:a:vitejs:vite::::::node.js::*

History

No history.

Information

Published : 2025-01-20 16:15

Updated : 2025-09-19 18:35

NVD link : CVE-2025-24010

Mitre link : CVE-2025-24010

CVE.ORG link : CVE-2025-24010

JSON object : View

Products Affected

vitejs

vite

CWE

CWE-346

Origin Validation Error

CWE-350

Reliance on Reverse DNS Resolution for a Security-Critical Action

CWE-1385

Missing Origin Validation in WebSockets

{"id": "CVE-2025-24010", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-01-20T16:15:28.730", "references": [{"url": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6", "tags": ["Exploit", "Third Party Advisory", "Mitigation"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-346"}, {"lang": "en", "value": "CWE-350"}, {"lang": "en", "value": "CWE-1385"}]}], "descriptions": [{"lang": "en", "value": "Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6."}, {"lang": "es", "value": "Vite es una herramienta de interfaz framework para JavaScript. Vite permit\u00eda que cualquier sitio web enviara solicitudes al servidor de desarrollo y leyera la respuesta debido a la configuraci\u00f3n CORS predeterminada y la falta de validaci\u00f3n en el encabezado Origin para las conexiones WebSocket. Esta vulnerabilidad se solucion\u00f3 en 6.0.9, 5.4.12 y 4.5.6."}], "lastModified": "2025-09-19T18:35:59.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "6A418E00-E3DD-4461-96A8-BC4C22E98F75", "versionEndExcluding": "4.5.5"}, {"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "70C30FA0-1314-408F-A85B-BB3335EC6163", "versionEndExcluding": "5.4.12", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "99D0A251-3C65-4F9F-AD23-B3C3E3DEC93D", "versionEndExcluding": "6.0.9", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}