vite@0.19.3 vulnerabilities

Native-ESM powered web dev build tool

latest version

5.2.9
latest non vulnerable version

6.0.0-alpha.2
first published

4 years ago
latest version published

3 days ago
licenses detected
- MIT
  >=0
View vite package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the vite package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Path Equivalence vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Path Equivalence such that Server Options (`server.fs.deny`) can be bypassed using double forward-slash (`//`) allowing any unauthenticated user to read files from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.', '.{crt,pem}']`). Note: Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. How to fix Path Equivalence? Upgrade `vite` to version 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, 4.3.9 or higher.	<2.9.16 >=3.0.0 <3.2.7 >=4.0.0 <4.0.5 >=4.1.0 <4.1.5 >=4.2.0 <4.2.3 >=4.3.0 <4.3.9
H Directory Traversal vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal. It allows attackers to perform a directory traversal via a crafted URL to the victim's service. How to fix Directory Traversal? Upgrade `vite` to version 2.9.13 or higher.	<2.9.13

Path Equivalence

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Path Equivalence such that Server Options (server.fs.deny) can be bypassed using double forward-slash (//) allowing any unauthenticated user to read files from the Vite root-path of the application including the default fs.deny settings (['.env', '.env.*', '*.{crt,pem}']).

Note:

Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the immediate Vite project root folder could be exposed.

How to fix Path Equivalence?

Upgrade vite to version 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, 4.3.9 or higher.

<2.9.16 >=3.0.0 <3.2.7 >=4.0.0 <4.0.5 >=4.1.0 <4.1.5 >=4.2.0 <4.2.3 >=4.3.0 <4.3.9

Directory Traversal

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Directory Traversal. It allows attackers to perform a directory traversal via a crafted URL to the victim's service.

How to fix Directory Traversal?

Upgrade vite to version 2.9.13 or higher.

<2.9.13

Go back to all versions of this package

vite@0.19.3 vulnerabilities

Native-ESM powered web dev build tool

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities