Vite Frontend Framework Vulnerability in JavaScript Applications
CVE-2025-46565

6MEDIUM

Key Information:

Vendor: Vitejs
Status: Vite
Vendor: CVE Published:; 1 May 2025

Summary

A vulnerability in the Vite frontend framework allows unauthorized access to certain files in the project root directory. This issue can be exploited if the Vite development server is intentionally exposed to the network using the '--host' or 'server.host' configuration options. Files that are normally restricted by matching patterns, such as sensitive configuration files (.env, .env.*, *.{crt,pem}), can be accessed due to a misconfiguration in pattern matching that stems from using a combination of slashes and dots. This vulnerability has been addressed and patched in subsequent releases, ensuring better safeguarding against unauthorized file access.

Affected Version(s)

vite >= 6.3.0, < 6.3.4 < 6.3.0, 6.3.4

vite >= 6.2.0, < 6.2.7 < 6.2.0, 6.2.7

vite >= 6.0.0, < 6.1.6 < 6.0.0, 6.1.6

References

https://github.com/vitejs/vite/security/advisories/GHSA-8...

x_refsource_CONFIRM

https://github.com/vitejs/vite/commit/c22c43de612eebb6c18...

x_refsource_MISC

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
May 1, 2025
Vulnerability Reserved
Apr 24, 2025