vite-6.2.0.tgz: 8 vulnerabilities (highest severity is: 6.5) #2
Description
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (vite version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-62522 |  Medium |
6.5 | vite-6.2.0.tgz | Direct | N/A | ❌ |
| CVE-2025-32395 | Medium |
6.5 | vite-6.2.0.tgz | Direct | 6.2.6 | ✅ |
| CVE-2025-58752 | Medium |
5.3 | vite-6.2.0.tgz | Direct | 6.3.6 | ✅ |
| CVE-2025-58751 | Medium |
5.3 | vite-6.2.0.tgz | Direct | 6.3.6 | ✅ |
| CVE-2025-46565 | Medium |
5.3 | vite-6.2.0.tgz | Direct | 6.2.7 | ✅ |
| CVE-2025-31486 | Medium |
5.3 | vite-6.2.0.tgz | Direct | 6.2.5 | ✅ |
| CVE-2025-31125 | Medium |
5.3 | vite-6.2.0.tgz | Direct | 6.2.4 | ✅ |
| CVE-2025-30208 | Medium |
5.3 | vite-6.2.0.tgz | Direct | 6.2.3 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-62522
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
Publish Date: 2025-10-20
URL: CVE-2025-62522
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
CVE-2025-32395
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2. On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) and running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) are affected. This vulnerability is fixed in 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13.
Publish Date: 2025-04-10
URL: CVE-2025-32395
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-356w-63v5-8wf4
Release Date: 2025-04-10
Fix Resolution: 6.2.6
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-58752
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the "server.fs" settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use "appType: 'spa'" (default) or "appType: 'mpa'" are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Publish Date: 2025-09-08
URL: CVE-2025-58752
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-jqfw-vq24-v9c3
Release Date: 2025-09-08
Fix Resolution: 6.3.6
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-58751
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the "server.fs" settings. Only apps that explicitly expose the Vite dev server to the network (using --host or "server.host" config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Publish Date: 2025-09-08
URL: CVE-2025-58751
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-g4jq-h2w9-997c
Release Date: 2025-09-08
Fix Resolution: 6.3.6
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-46565
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. "server.fs.deny" can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under "root" by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
Publish Date: 2025-05-01
URL: CVE-2025-46565
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-859w-5945-r5v3
Release Date: 2025-05-01
Fix Resolution: 6.2.7
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-31486
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.
Publish Date: 2025-04-03
URL: CVE-2025-31486
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-xcj6-pq6g-qj4x
Release Date: 2025-04-03
Fix Resolution: 6.2.5
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-31125
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Publish Date: 2025-03-31
URL: CVE-2025-31125
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-4r4m-qw57-chr8
Release Date: 2025-03-31
Fix Resolution: 6.2.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-30208
Vulnerable Library - vite-6.2.0.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ vite-6.2.0.tgz (Vulnerable Library)
Found in HEAD commit: b57a0a5c4765847d004ff2f68061c6699a2e65d5
Found in base branch: main
Vulnerability Details
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. "@fs" denies access to files outside of Vite serving allow list. Adding "?raw??" or "?import&raw??" to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as "?" are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using "--host" or "server.host" config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Publish Date: 2025-03-24
URL: CVE-2025-30208
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-03-24
Fix Resolution: 6.2.3
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.