CVE-2025-46565

Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb	Patch
https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3	Exploit Vendor Advisory
https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vitejs:vite::::::node.js::*
	cpe:2.3:a:vitejs:vite::::::node.js::*
	cpe:2.3:a:vitejs:vite::::::node.js::*
	cpe:2.3:a:vitejs:vite::::::node.js::*
	cpe:2.3:a:vitejs:vite::::::node.js::*

History

No history.

Information

Published : 2025-05-01 18:15

Updated : 2025-10-02 15:40

NVD link : CVE-2025-46565

Mitre link : CVE-2025-46565

CVE.ORG link : CVE-2025-46565

JSON object : View

Products Affected

vitejs

vite

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2025-46565", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-01T18:15:57.797", "references": [{"url": "https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14."}, {"lang": "es", "value": "Vite es un framework de herramientas frontend para JavaScript. En versiones anteriores a las 6.3.4, 6.2.7, 6.1.6, 5.4.19 y 4.5.14, el contenido de los archivos en la root del proyecto que se deniegan por un patr\u00f3n de coincidencia de archivos se puede devolver al navegador. Solo las aplicaciones que exponen expl\u00edcitamente el servidor de desarrollo de Vite a la red (mediante la opci\u00f3n de configuraci\u00f3n --host o server.host) se ven afectadas. Solo se pueden omitir los archivos que se encuentran en la root del proyecto y se deniegan por un patr\u00f3n de coincidencia de archivos. `server.fs.deny` puede contener patrones que coinciden con archivos (por defecto, incluye .env, .env.*, *.{crt,pem} como tales patrones). Estos patrones se pod\u00edan omitir para los archivos en `root` mediante una combinaci\u00f3n de barra diagonal y punto (/.). Este problema se ha solucionado en las versiones 6.3.4, 6.2.7, 6.1.6, 5.4.19 y 4.5.14."}], "lastModified": "2025-10-02T15:40:34.403", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "77FC6257-88E2-4A6C-BDD4-7698ACAF2D30", "versionEndExcluding": "4.5.14"}, {"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "CC4A2476-6C4D-4C09-A509-C870545D7C23", "versionEndExcluding": "5.4.19", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A46F68BA-EEBF-4644-8751-078708C50B22", "versionEndExcluding": "6.1.6", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "662C2DA3-F405-4D04-B78E-C710BFD7016D", "versionEndExcluding": "6.2.7", "versionStartIncluding": "6.2.0"}, {"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "AE06E232-1DBC-4900-9D3A-46EAB1FB7190", "versionEndExcluding": "6.3.4", "versionStartIncluding": "6.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}