vite 5.4.15 vulnerabilities

Known vulnerabilities in the vite package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Information Exposure vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Information Exposure due to the handling of `req.url` which may contain unexpected characters such as `#`. An attacker can access and retrieve the contents of arbitrary files by sending specially crafted requests that bypass the `server.fs.deny` checks. Note: This is only exploitable if the Vite dev server is explicitly exposed to the network and running on Node or Bun runtimes, excluding Deno. How to fix Information Exposure? Upgrade `vite` to version 4.5.13, 5.4.18, 6.0.15, 6.1.5, 6.2.6 or higher.	<4.5.13>=5.0.0 <5.4.18>=6.0.0 <6.0.15>=6.1.0 <6.1.5>=6.2.0 <6.2.6
H Incorrect Authorization vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Incorrect Authorization via the bypass of the `server.fs.deny` restriction. An attacker can access restricted files by appending `?.svg` with `?.wasm?init` or with `sec-fetch-dest: script` header to the requests. Note: This is only exploitable if the file is smaller than the `build.assetsInlineLimit` (default: 4kB), when using Vite 6.0+ and when the Vite dev server is explicitly exposed to the network (using `--host` or server.host config option. How to fix Incorrect Authorization? Upgrade `vite` to version 4.5.12, 5.4.17, 6.0.14, 6.1.4, 6.2.5 or higher.	<4.5.12>=5.0.0 <5.4.17>=6.0.0 <6.0.14>=6.1.0 <6.1.4>=6.2.0 <6.2.5
M Access Control Bypass vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Access Control Bypass through the `server.fs.deny` configuration, which is bypassed when using `?import` query with `inline` and `raw` parameters. An attacker can read arbitrary files and return their content if they exist by crafting a URL that includes specific query parameters. How to fix Access Control Bypass? Upgrade `vite` to version 4.5.11, 5.4.16, 6.0.13, 6.1.3, 6.2.4 or higher.	<4.5.11>=5.0.0 <5.4.16>=6.0.0 <6.0.13>=6.1.0 <6.1.3>=6.2.0 <6.2.4

Vulnerability

Vulnerable Version

Information Exposure

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Information Exposure due to the handling of req.url which may contain unexpected characters such as #. An attacker can access and retrieve the contents of arbitrary files by sending specially crafted requests that bypass the server.fs.deny checks.

Note:

This is only exploitable if the Vite dev server is explicitly exposed to the network and running on Node or Bun runtimes, excluding Deno.

How to fix Information Exposure?

Upgrade vite to version 4.5.13, 5.4.18, 6.0.15, 6.1.5, 6.2.6 or higher.

<4.5.13>=5.0.0 <5.4.18>=6.0.0 <6.0.15>=6.1.0 <6.1.5>=6.2.0 <6.2.6

Incorrect Authorization

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Incorrect Authorization via the bypass of the server.fs.deny restriction. An attacker can access restricted files by appending ?.svg with ?.wasm?init or with sec-fetch-dest: script header to the requests.

Note:

This is only exploitable if the file is smaller than the build.assetsInlineLimit (default: 4kB), when using Vite 6.0+ and when the Vite dev server is explicitly exposed to the network (using --host or server.host config option.

How to fix Incorrect Authorization?

Upgrade vite to version 4.5.12, 5.4.17, 6.0.14, 6.1.4, 6.2.5 or higher.

<4.5.12>=5.0.0 <5.4.17>=6.0.0 <6.0.14>=6.1.0 <6.1.4>=6.2.0 <6.2.5

Access Control Bypass

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Access Control Bypass through the server.fs.deny configuration, which is bypassed when using ?import query with inline and raw parameters. An attacker can read arbitrary files and return their content if they exist by crafting a URL that includes specific query parameters.

How to fix Access Control Bypass?

Upgrade vite to version 4.5.11, 5.4.16, 6.0.13, 6.1.3, 6.2.4 or higher.

<4.5.11>=5.0.0 <5.4.16>=6.0.0 <6.0.13>=6.1.0 <6.1.3>=6.2.0 <6.2.4

vite@5.4.15 vulnerabilities

Native-ESM powered web dev build tool

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?