Search

Find a vulnerability

Search criteria

    44 vulnerabilities found for vite by vitejs

    CVE-2026-53632 (GCVE-0-2026-53632)

    Vulnerability from nvd – Published: 2026-06-22 15:54 – Updated: 2026-06-22 17:30
    VLAI
    Title
    NTLMv2 hash disclosure via UNC path handling on Windows
    Summary
    launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - External Control of File Name or Path
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs launch-editor Affected: < 2.14.1
    Create a notification for this product.
    vitejs vite Affected: >= 8.0.0, < 8.0.16
    Affected: >= 7.0.0, < 7.3.5
    Affected: < 6.4.3
    Create a notification for this product.
    vitejs vite-plus Affected: < 0.1.24
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53632",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T17:29:50.413110Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T17:30:11.939Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/launch-editor/security/advisories/GHSA-v6wh-96g9-6wx3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "launch-editor",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.14.1"
                }
              ]
            },
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0, \u003c 8.0.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.3.5"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.4.3"
                }
              ]
            },
            {
              "product": "vite-plus",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.1.24"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user\u2019s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73: External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522: Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:54:09.240Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/launch-editor/security/advisories/GHSA-v6wh-96g9-6wx3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/launch-editor/security/advisories/GHSA-v6wh-96g9-6wx3"
            }
          ],
          "source": {
            "advisory": "GHSA-v6wh-96g9-6wx3",
            "discovery": "UNKNOWN"
          },
          "title": "NTLMv2 hash disclosure via UNC path handling on Windows"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53632",
        "datePublished": "2026-06-22T15:54:09.240Z",
        "dateReserved": "2026-06-09T20:16:59.647Z",
        "dateUpdated": "2026-06-22T17:30:11.939Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53571 (GCVE-0-2026-53571)

    Vulnerability from nvd – Published: 2026-06-22 16:10 – Updated: 2026-06-22 18:07
    VLAI
    Title
    Vite: `server.fs.deny` bypass on Windows alternate paths
    Summary
    Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 8.0.0, < 8.0.16
    Affected: >= 7.0.0, < 7.3.5
    Affected: < 6.4.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53571",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T18:07:16.554503Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T18:07:53.961Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0, \u003c 8.0.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.3.5"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.4.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite\u2019s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file\u0027s default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:10:58.500Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff"
            }
          ],
          "source": {
            "advisory": "GHSA-fx2h-pf6j-xcff",
            "discovery": "UNKNOWN"
          },
          "title": "Vite: `server.fs.deny` bypass on Windows alternate paths"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53571",
        "datePublished": "2026-06-22T16:10:58.500Z",
        "dateReserved": "2026-06-09T19:11:53.483Z",
        "dateUpdated": "2026-06-22T18:07:53.961Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-52011 (GCVE-0-2024-52011)

    Vulnerability from nvd – Published: 2026-06-01 17:17 – Updated: 2026-06-30 12:07
    VLAI
    Title
    launch-editor vulnerable to command injection via the crafted request on Windows
    Summary
    launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    • CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
    Assigner
    Impacted products
    Vendor Product Version
    vitejs launch-editor Affected: < 2.9.0
    Create a notification for this product.
    vitejs vite Affected: < 5.4.9
    Create a notification for this product.
    Red Hat Cryostat 4     cpe:/a:redhat:cryostat:4
    Create a notification for this product.
    Red Hat Migration Toolkit for Containers     cpe:/a:redhat:rhmt:1
    Create a notification for this product.
    Red Hat Node HealthCheck Operator     cpe:/a:redhat:workload_availability_nhc:0
    Create a notification for this product.
    Red Hat OpenShift Lightspeed     cpe:/a:redhat:openshift_lightspeed
    Create a notification for this product.
    Red Hat OpenShift Pipelines     cpe:/a:redhat:openshift_pipelines:1
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 2     cpe:/a:redhat:service_mesh:2
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 3     cpe:/a:redhat:service_mesh:3
    Create a notification for this product.
    Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2     cpe:/a:redhat:ansible_automation_platform:2
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel - HawtIO 4     cpe:/a:redhat:apache_camel_hawtio:4
    Create a notification for this product.
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop     cpe:/a:redhat:podman_desktop:1
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop - Tech Preview     cpe:/a:redhat:podman_desktop:0
    Create a notification for this product.
    Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
    Create a notification for this product.
    Red Hat Red Hat Developer Hub     cpe:/a:redhat:rhdh:1
    Create a notification for this product.
    Red Hat Red Hat Discovery 2     cpe:/a:redhat:discovery:2::el9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AI (RHEL AI) 3     cpe:/a:redhat:enterprise_linux_ai:3
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces     cpe:/a:redhat:openshift_devspaces:3
    Create a notification for this product.
    Red Hat Red Hat OpenShift Virtualization 4     cpe:/a:redhat:container_native_virtualization:4
    Create a notification for this product.
    Red Hat Red Hat Quay 3     cpe:/a:redhat:quay:3
    Create a notification for this product.
    Red Hat Self-service automation portal 2     cpe:/a:redhat:ansible_portal:2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52011",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-02T15:24:21.443316Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-02T15:24:59.154Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Cryostat 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhmt:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Migration Toolkit for Containers",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:workload_availability_nhc:0"
                ],
                "defaultStatus": "unaffected",
                "product": "Node HealthCheck Operator",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_lightspeed"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Lightspeed",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_pipelines:1"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Pipelines",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:2"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Service Mesh 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Service Mesh 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_broker:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat AMQ Broker 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Ansible Automation Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:apache_camel_hawtio:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apache Camel - HawtIO 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Build of Keycloak",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:0"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Build of Podman Desktop - Tech Preview",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_data_grid:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Data Grid 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Developer Hub",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:discovery:2::el9"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Discovery 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux_ai:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Dev Spaces",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:container_native_virtualization:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Virtualization 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quay:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Quay 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_portal:2"
                ],
                "defaultStatus": "unaffected",
                "product": "Self-service automation portal 2",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-01T17:17:43.792Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in launch-editor, a tool that allows users to open files with line numbers in an editor from Node.js. Due to insufficient sanitization of the `file` argument in the `launchEditor` function, an attacker can execute arbitrary commands on Windows systems by supplying a filename that contains special characters. This can lead to a complete compromise of the affected system."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 8.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-88",
                    "description": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:07:26.987Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2024-52011"
              },
              {
                "name": "RHBZ#2483853",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2483853"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-52011.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-01T19:04:20.806Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-01T17:17:43.792Z",
                "value": "Made public."
              }
            ],
            "title": "launch-editor: vite: launch-editor: Arbitrary command execution via insufficient file argument sanitization",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "launch-editor",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.9.0"
                }
              ]
            },
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-01T17:17:43.792Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/launch-editor/security/advisories/GHSA-c27g-q93r-2cwf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/launch-editor/security/advisories/GHSA-c27g-q93r-2cwf"
            },
            {
              "name": "https://github.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5e"
            }
          ],
          "source": {
            "advisory": "GHSA-c27g-q93r-2cwf",
            "discovery": "UNKNOWN"
          },
          "title": "launch-editor vulnerable to command injection via the crafted request on Windows"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-52011",
        "datePublished": "2026-06-01T17:17:43.792Z",
        "dateReserved": "2024-11-04T17:46:16.779Z",
        "dateUpdated": "2026-06-30T12:07:26.987Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-39365 (GCVE-0-2026-39365)

    Vulnerability from nvd – Published: 2026-04-07 19:13 – Updated: 2026-04-15 14:23
    VLAI
    Title
    Vite has a Path Traversal in Optimized Deps `.map` Handling
    Summary
    Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 8.0.0, < 8.0.5
    Affected: >= 7.0.0, < 7.3.2
    Affected: >= 6.0.0, < 6.4.2
    Create a notification for this product.
    vitejs vite-plus Affected: < 0.1.16
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39365",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T18:10:42.839064Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-15T14:23:24.501Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0, \u003c 8.0.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.3.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.2"
                }
              ]
            },
            {
              "product": "vite-plus",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.1.16"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server\u2019s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T19:13:50.927Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9"
            }
          ],
          "source": {
            "advisory": "GHSA-4w7w-66w2-5vf9",
            "discovery": "UNKNOWN"
          },
          "title": "Vite has a Path Traversal in Optimized Deps `.map` Handling"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39365",
        "datePublished": "2026-04-07T19:13:50.927Z",
        "dateReserved": "2026-04-06T21:29:17.349Z",
        "dateUpdated": "2026-04-15T14:23:24.501Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-39364 (GCVE-0-2026-39364)

    Vulnerability from nvd – Published: 2026-04-07 19:12 – Updated: 2026-06-30 12:09
    VLAI
    Title
    Vite has a `server.fs.deny` bypass with queries
    Summary
    Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize
    • CWE-284 - Improper Access Control
    • CWE-472 - External Control of Assumed-Immutable Web Parameter
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39364",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T20:01:48.579074Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T20:01:56.564Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Keycloak",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop - Tech Preview",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Advanced Cluster Security 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-07T19:12:47.577Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Vite, a frontend tooling framework for JavaScript. On the Vite development server, a remote attacker could exploit this vulnerability by appending specific query parameters, such as ?raw, to requests. This allows the attacker to bypass security restrictions and retrieve sensitive files, including environment variables (.env) and certificate files (*.crt), which should otherwise be blocked. This information disclosure could lead to further compromise of the system."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-472",
                    "description": "External Control of Assumed-Immutable Web Parameter",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:09:01.302Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-39364"
              },
              {
                "name": "RHBZ#2456181",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456181"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39364.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24866"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:24866: Red Hat Ansible Automation Platform 2.6"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-07T20:02:18.458Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-07T19:12:47.577Z",
                "value": "Made public."
              }
            ],
            "title": "vite: Vite: Information disclosure via query parameter manipulation on the development server",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0, \u003c 8.0.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.1.0, \u003c 7.3.2"
                }
              ]
            },
            {
              "product": "vite-plus",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.1.16"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import\u0026raw, or ?import\u0026url\u0026inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-180",
                  "description": "CWE-180: Incorrect Behavior Order: Validate Before Canonicalize",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T19:12:47.577Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r"
            }
          ],
          "source": {
            "advisory": "GHSA-v2wj-q39q-566r",
            "discovery": "UNKNOWN"
          },
          "title": "Vite has a `server.fs.deny` bypass with queries"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39364",
        "datePublished": "2026-04-07T19:12:47.577Z",
        "dateReserved": "2026-04-06T21:29:17.349Z",
        "dateUpdated": "2026-06-30T12:09:01.302Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-39363 (GCVE-0-2026-39363)

    Vulnerability from nvd – Published: 2026-04-07 19:10 – Updated: 2026-06-30 12:09
    VLAI
    Title
    Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket
    Summary
    Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-306 - Missing Authentication for Critical Function
    • CWE-1220 - Insufficient Granularity of Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 8.0.0, < 8.0.5
    Affected: >= 7.0.0, < 7.3.2
    Affected: >= 6.0.0, < 6.4.2
    Create a notification for this product.
    vitejs vite-plus Affected: < 0.1.16
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 8     cpe:/a:redhat:ansible_automation_platform:2.5::el8
        cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8
        cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 9     cpe:/a:redhat:ansible_automation_platform:2.5::el9
        cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9
        cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.6 for RHEL 9     cpe:/a:redhat:ansible_automation_platform:2.6::el9
        cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9
        cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.6     cpe:/a:redhat:ansible_automation_platform:2.6::el9
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2     cpe:/a:redhat:ansible_automation_platform:2
    Create a notification for this product.
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop     cpe:/a:redhat:podman_desktop:1
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop - Tech Preview     cpe:/a:redhat:podman_desktop:0
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.6 for RHEL 10     cpe:/a:redhat:ansible_automation_platform:2.6::el10
        cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security 4     cpe:/a:redhat:advanced_cluster_security:4
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39363",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-08T17:52:54.234521Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-08T17:52:58.420Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8",
                  "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9",
                  "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.6::el9",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9",
                  "cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.6 for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Keycloak",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop - Tech Preview",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.6::el10",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Ansible Automation Platform 2.6 for RHEL 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Advanced Cluster Security 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-07T19:10:44.916Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Vite, a frontend tooling framework. A remote attacker can exploit this vulnerability by connecting to the Vite development server\u0027s WebSocket without an Origin header. This allows the attacker to invoke the fetchModule function, enabling them to retrieve the contents of arbitrary files on the server. This information disclosure can lead to unauthorized access to sensitive data."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1220",
                    "description": "Insufficient Granularity of Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:09:01.953Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-39363"
              },
              {
                "name": "RHBZ#2456179",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456179"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39363.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24761"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24762"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24866"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:24761: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24762: Red Hat Ansible Automation Platform 2.6 for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24866: Red Hat Ansible Automation Platform 2.6"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-07T20:02:11.316Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-07T19:10:44.916Z",
                "value": "Made public."
              }
            ],
            "title": "Vite: Vite: Information disclosure via WebSocket connection bypasses access control",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0, \u003c 8.0.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.3.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.2"
                }
              ]
            },
            {
              "product": "vite-plus",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.1.16"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server\u2019s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default \"...\"). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T19:10:44.916Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583"
            }
          ],
          "source": {
            "advisory": "GHSA-p9ff-h696-f583",
            "discovery": "UNKNOWN"
          },
          "title": "Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39363",
        "datePublished": "2026-04-07T19:10:44.916Z",
        "dateReserved": "2026-04-06T21:29:17.349Z",
        "dateUpdated": "2026-06-30T12:09:01.953Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62522 (GCVE-0-2025-62522)

    Vulnerability from nvd – Published: 2025-10-20 19:57 – Updated: 2025-10-20 20:17
    VLAI
    Title
    vite allows server.fs.deny bypass via backslash on Windows
    Summary
    Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 7.1.0, < 7.1.11
    Affected: >= 7.0.0, < 7.0.8
    Affected: >= 6.0.0, < 6.4.1
    Affected: >= 5.2.6, < 5.4.21
    Affected: >= 4.5.3, < 5.0.0
    Affected: >= 3.2.9, < 4.0.0
    Affected: >= 2.9.18, < 3.0.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62522",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-20T20:16:51.209674Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-20T20:17:08.287Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 7.1.0, \u003c 7.1.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.0.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.2.6, \u003c 5.4.21"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.5.3, \u003c 5.0.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.2.9, \u003c 4.0.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.9.18, \u003c 3.0.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \\ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-20T19:57:13.188Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed"
            }
          ],
          "source": {
            "advisory": "GHSA-93m4-6634-74q7",
            "discovery": "UNKNOWN"
          },
          "title": "vite allows server.fs.deny bypass via backslash on Windows"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-62522",
        "datePublished": "2025-10-20T19:57:13.188Z",
        "dateReserved": "2025-10-15T15:03:28.135Z",
        "dateUpdated": "2025-10-20T20:17:08.287Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-58752 (GCVE-0-2025-58752)

    Vulnerability from nvd – Published: 2025-09-08 22:56 – Updated: 2025-09-09 13:29
    VLAI
    Title
    Vite's `server.fs` settings were not applied to HTML files
    Summary
    Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    vitejs vite Affected: < 5.4.20
    Affected: >= 6.0.0, < 6.3.6
    Affected: >= 7.0.0, < 7.0.7
    Affected: >= 7.1.0, < 7.1.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-58752",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-09T13:13:50.971669Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-09T13:29:30.868Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.20"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.3.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.0.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.1.0, \u003c 7.1.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: \u0027spa\u0027` (default) or `appType: \u0027mpa\u0027` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23: Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-08T22:56:58.039Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6"
            }
          ],
          "source": {
            "advisory": "GHSA-jqfw-vq24-v9c3",
            "discovery": "UNKNOWN"
          },
          "title": "Vite\u0027s `server.fs` settings were not applied to HTML files"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-58752",
        "datePublished": "2025-09-08T22:56:58.039Z",
        "dateReserved": "2025-09-04T19:18:09.499Z",
        "dateUpdated": "2025-09-09T13:29:30.868Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-58751 (GCVE-0-2025-58751)

    Vulnerability from nvd – Published: 2025-09-08 22:52 – Updated: 2025-09-09 13:29
    VLAI
    Title
    Vite middleware may serve files starting with the same name with the public directory
    Summary
    Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    vitejs vite Affected: < 5.4.20
    Affected: >= 6.0.0, < 6.3.6
    Affected: >= 7.0.0, < 7.0.7
    Affected: >= 7.1.0, < 7.1.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-58751",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-09T13:14:11.634879Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-09T13:29:36.802Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.20"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.3.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.0.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.1.0, \u003c 7.1.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-08T22:52:45.667Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c"
            },
            {
              "name": "https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0"
            }
          ],
          "source": {
            "advisory": "GHSA-g4jq-h2w9-997c",
            "discovery": "UNKNOWN"
          },
          "title": "Vite middleware may serve files starting with the same name with the public directory"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-58751",
        "datePublished": "2025-09-08T22:52:45.667Z",
        "dateReserved": "2025-09-04T19:18:09.499Z",
        "dateUpdated": "2025-09-09T13:29:36.802Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-46565 (GCVE-0-2025-46565)

    Vulnerability from nvd – Published: 2025-05-01 17:20 – Updated: 2025-05-02 17:38
    VLAI
    Title
    Vite's server.fs.deny bypassed with /. for files under project root
    Summary
    Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 6.3.0, < 6.3.4
    Affected: >= 6.2.0, < 6.2.7
    Affected: >= 6.0.0, < 6.1.6
    Affected: >= 5.0.0, < 5.4.19
    Affected: < 4.5.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-46565",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-02T17:38:51.291423Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-02T17:38:55.291Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.3.0, \u003c 6.3.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.2.0, \u003c 6.2.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.1.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.4.19"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.5.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-01T17:20:29.773Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb"
            }
          ],
          "source": {
            "advisory": "GHSA-859w-5945-r5v3",
            "discovery": "UNKNOWN"
          },
          "title": "Vite\u0027s server.fs.deny bypassed with /. for files under project root"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-46565",
        "datePublished": "2025-05-01T17:20:29.773Z",
        "dateReserved": "2025-04-24T21:10:48.174Z",
        "dateUpdated": "2025-05-02T17:38:55.291Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-32395 (GCVE-0-2025-32395)

    Vulnerability from nvd – Published: 2025-04-10 13:25 – Updated: 2025-04-10 14:14
    VLAI
    Title
    Vite has an `server.fs.deny` bypass with an invalid `request-target`
    Summary
    Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2. On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) and running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) are affected. This vulnerability is fixed in 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 6.2.0, < 6.2.6
    Affected: >= 6.1.0, < 6.1.5
    Affected: >= 6.0.0, < 6.0.15
    Affected: >= 5.0.0, < 5.4.18
    Affected: < 4.5.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32395",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-10T14:14:30.473382Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-10T14:14:40.591Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.2.0, \u003c 6.2.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0, \u003c 6.1.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.4.18"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.5.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2. On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won\u0027t contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) and running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) are affected. This vulnerability is fixed in 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-10T13:25:19.177Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/175a83909f02d3b554452a7bd02b9f340cdfef70",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/175a83909f02d3b554452a7bd02b9f340cdfef70"
            }
          ],
          "source": {
            "advisory": "GHSA-356w-63v5-8wf4",
            "discovery": "UNKNOWN"
          },
          "title": "Vite has an `server.fs.deny` bypass with an invalid `request-target`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-32395",
        "datePublished": "2025-04-10T13:25:19.177Z",
        "dateReserved": "2025-04-06T19:46:02.464Z",
        "dateUpdated": "2025-04-10T14:14:40.591Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-31486 (GCVE-0-2025-31486)

    Vulnerability from nvd – Published: 2025-04-03 18:24 – Updated: 2025-04-03 20:39
    VLAI
    Title
    Vite allows server.fs.deny to be bypassed with .svg or relative paths
    Summary
    Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    vitejs vite Affected: < 4.5.12
    Affected: >=5.0.0, < 5.4.17
    Affected: >=6.0.0, < 6.0.14
    Affected: >=6.1.0, < 6.1.4
    Affected: >=6.2.0, < 6.2.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31486",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-03T20:39:24.672022Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T20:39:28.939Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.5.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e=5.0.0, \u003c 5.4.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e=6.0.0, \u003c 6.0.14"
                },
                {
                  "status": "affected",
                  "version": "\u003e=6.1.0, \u003c 6.1.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e=6.2.0, \u003c 6.2.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-03T18:24:39.616Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647"
            },
            {
              "name": "https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290"
            }
          ],
          "source": {
            "advisory": "GHSA-xcj6-pq6g-qj4x",
            "discovery": "UNKNOWN"
          },
          "title": "Vite allows server.fs.deny to be bypassed with .svg or relative paths"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-31486",
        "datePublished": "2025-04-03T18:24:39.616Z",
        "dateReserved": "2025-03-28T13:36:51.298Z",
        "dateUpdated": "2025-04-03T20:39:28.939Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-31125 (GCVE-0-2025-31125)

    Vulnerability from nvd – Published: 2025-03-31 17:06 – Updated: 2026-01-23 16:58
    VLAI CISA KEVIntel
    Title
    Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
    Summary
    Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
    SSVC
    Exploitation: active Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 6.2.0, < 6.2.4
    Affected: >= 6.1.0, < 6.1.3
    Affected: >= 6.0.0, < 6.0.13
    Affected: >= 5.0.0, < 5.4.16
    Affected: < 4.5.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31125",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-23T16:58:33.096334Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2026-01-22",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31125"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-23T16:58:37.048Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8"
              },
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31125"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.2.0, \u003c 6.2.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0, \u003c 6.1.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.4.16"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.5.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline\u0026import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-31T17:31:51.583Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949"
            }
          ],
          "source": {
            "advisory": "GHSA-4r4m-qw57-chr8",
            "discovery": "UNKNOWN"
          },
          "title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-31125",
        "datePublished": "2025-03-31T17:06:30.704Z",
        "dateReserved": "2025-03-26T15:04:52.626Z",
        "dateUpdated": "2026-01-23T16:58:37.048Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-30208 (GCVE-0-2025-30208)

    Vulnerability from nvd – Published: 2025-03-24 17:03 – Updated: 2025-03-24 17:46
    VLAI KEVIntel
    Title
    Vite bypasses server.fs.deny when using `?raw??`
    Summary
    Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    vitejs vite Affected: < 4.5.10
    Affected: >= 5.0.0, < 5.4.15
    Affected: >= 6.0.0, < 6.0.12
    Affected: >= 6.1.0, < 6.1.2
    Affected: >= 6.2.0, < 6.2.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30208",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T17:40:42.736527Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T17:46:37.205Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.5.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.4.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0, \u003c 6.1.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.2.0, \u003c 6.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import\u0026raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-24T17:03:40.728Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1"
            }
          ],
          "source": {
            "advisory": "GHSA-x574-m823-4x7w",
            "discovery": "UNKNOWN"
          },
          "title": "Vite bypasses server.fs.deny when using `?raw??`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-30208",
        "datePublished": "2025-03-24T17:03:40.728Z",
        "dateReserved": "2025-03-18T18:15:13.849Z",
        "dateUpdated": "2025-03-24T17:46:37.205Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24010 (GCVE-0-2025-24010)

    Vulnerability from nvd – Published: 2025-01-20 15:53 – Updated: 2025-01-21 14:52
    VLAI
    Title
    Vite allows any websites to send any requests to the development server and read the response
    Summary
    Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-346 - Origin Validation Error
    • CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action
    • CWE-1385 - Missing Origin Validation in WebSockets
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 6.0.0, < 6.0.9
    Affected: >= 5.0.0, < 5.4.12
    Affected: < 4.5.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24010",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-21T14:52:46.258360Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-21T14:52:53.680Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.5.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346: Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-350",
                  "description": "CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1385",
                  "description": "CWE-1385: Missing Origin Validation in WebSockets",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-20T15:53:30.929Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6"
            }
          ],
          "source": {
            "advisory": "GHSA-vg6x-rcgg-rjx6",
            "discovery": "UNKNOWN"
          },
          "title": "Vite allows any websites to send any requests to the development server and read the response"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-24010",
        "datePublished": "2025-01-20T15:53:30.929Z",
        "dateReserved": "2025-01-16T17:31:06.457Z",
        "dateUpdated": "2025-01-21T14:52:53.680Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-53571 (GCVE-0-2026-53571)

    Vulnerability from cvelistv5 – Published: 2026-06-22 16:10 – Updated: 2026-06-22 18:07
    VLAI
    Title
    Vite: `server.fs.deny` bypass on Windows alternate paths
    Summary
    Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 8.0.0, < 8.0.16
    Affected: >= 7.0.0, < 7.3.5
    Affected: < 6.4.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53571",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T18:07:16.554503Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T18:07:53.961Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0, \u003c 8.0.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.3.5"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.4.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite\u2019s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file\u0027s default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:10:58.500Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff"
            }
          ],
          "source": {
            "advisory": "GHSA-fx2h-pf6j-xcff",
            "discovery": "UNKNOWN"
          },
          "title": "Vite: `server.fs.deny` bypass on Windows alternate paths"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53571",
        "datePublished": "2026-06-22T16:10:58.500Z",
        "dateReserved": "2026-06-09T19:11:53.483Z",
        "dateUpdated": "2026-06-22T18:07:53.961Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53632 (GCVE-0-2026-53632)

    Vulnerability from cvelistv5 – Published: 2026-06-22 15:54 – Updated: 2026-06-22 17:30
    VLAI
    Title
    NTLMv2 hash disclosure via UNC path handling on Windows
    Summary
    launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - External Control of File Name or Path
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs launch-editor Affected: < 2.14.1
    Create a notification for this product.
    vitejs vite Affected: >= 8.0.0, < 8.0.16
    Affected: >= 7.0.0, < 7.3.5
    Affected: < 6.4.3
    Create a notification for this product.
    vitejs vite-plus Affected: < 0.1.24
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53632",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T17:29:50.413110Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T17:30:11.939Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/launch-editor/security/advisories/GHSA-v6wh-96g9-6wx3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "launch-editor",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.14.1"
                }
              ]
            },
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0, \u003c 8.0.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.3.5"
                },
                {
                  "status": "affected",
                  "version": "\u003c 6.4.3"
                }
              ]
            },
            {
              "product": "vite-plus",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.1.24"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user\u2019s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73: External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522: Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:54:09.240Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/launch-editor/security/advisories/GHSA-v6wh-96g9-6wx3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/launch-editor/security/advisories/GHSA-v6wh-96g9-6wx3"
            }
          ],
          "source": {
            "advisory": "GHSA-v6wh-96g9-6wx3",
            "discovery": "UNKNOWN"
          },
          "title": "NTLMv2 hash disclosure via UNC path handling on Windows"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53632",
        "datePublished": "2026-06-22T15:54:09.240Z",
        "dateReserved": "2026-06-09T20:16:59.647Z",
        "dateUpdated": "2026-06-22T17:30:11.939Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-52011 (GCVE-0-2024-52011)

    Vulnerability from cvelistv5 – Published: 2026-06-01 17:17 – Updated: 2026-06-30 12:07
    VLAI
    Title
    launch-editor vulnerable to command injection via the crafted request on Windows
    Summary
    launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    • CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
    Assigner
    Impacted products
    Vendor Product Version
    vitejs launch-editor Affected: < 2.9.0
    Create a notification for this product.
    vitejs vite Affected: < 5.4.9
    Create a notification for this product.
    Red Hat Cryostat 4     cpe:/a:redhat:cryostat:4
    Create a notification for this product.
    Red Hat Migration Toolkit for Containers     cpe:/a:redhat:rhmt:1
    Create a notification for this product.
    Red Hat Node HealthCheck Operator     cpe:/a:redhat:workload_availability_nhc:0
    Create a notification for this product.
    Red Hat OpenShift Lightspeed     cpe:/a:redhat:openshift_lightspeed
    Create a notification for this product.
    Red Hat OpenShift Pipelines     cpe:/a:redhat:openshift_pipelines:1
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 2     cpe:/a:redhat:service_mesh:2
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 3     cpe:/a:redhat:service_mesh:3
    Create a notification for this product.
    Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2     cpe:/a:redhat:ansible_automation_platform:2
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel - HawtIO 4     cpe:/a:redhat:apache_camel_hawtio:4
    Create a notification for this product.
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop     cpe:/a:redhat:podman_desktop:1
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop - Tech Preview     cpe:/a:redhat:podman_desktop:0
    Create a notification for this product.
    Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
    Create a notification for this product.
    Red Hat Red Hat Developer Hub     cpe:/a:redhat:rhdh:1
    Create a notification for this product.
    Red Hat Red Hat Discovery 2     cpe:/a:redhat:discovery:2::el9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AI (RHEL AI) 3     cpe:/a:redhat:enterprise_linux_ai:3
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces     cpe:/a:redhat:openshift_devspaces:3
    Create a notification for this product.
    Red Hat Red Hat OpenShift Virtualization 4     cpe:/a:redhat:container_native_virtualization:4
    Create a notification for this product.
    Red Hat Red Hat Quay 3     cpe:/a:redhat:quay:3
    Create a notification for this product.
    Red Hat Self-service automation portal 2     cpe:/a:redhat:ansible_portal:2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52011",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-02T15:24:21.443316Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-02T15:24:59.154Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Cryostat 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhmt:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Migration Toolkit for Containers",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:workload_availability_nhc:0"
                ],
                "defaultStatus": "unaffected",
                "product": "Node HealthCheck Operator",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_lightspeed"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Lightspeed",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_pipelines:1"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Pipelines",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:2"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Service Mesh 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Service Mesh 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_broker:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat AMQ Broker 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Ansible Automation Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:apache_camel_hawtio:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apache Camel - HawtIO 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Build of Keycloak",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:0"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Build of Podman Desktop - Tech Preview",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_data_grid:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Data Grid 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Developer Hub",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:discovery:2::el9"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Discovery 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux_ai:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Dev Spaces",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:container_native_virtualization:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Virtualization 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quay:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Quay 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_portal:2"
                ],
                "defaultStatus": "unaffected",
                "product": "Self-service automation portal 2",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-01T17:17:43.792Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in launch-editor, a tool that allows users to open files with line numbers in an editor from Node.js. Due to insufficient sanitization of the `file` argument in the `launchEditor` function, an attacker can execute arbitrary commands on Windows systems by supplying a filename that contains special characters. This can lead to a complete compromise of the affected system."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 8.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-88",
                    "description": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:07:26.987Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2024-52011"
              },
              {
                "name": "RHBZ#2483853",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2483853"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-52011.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-01T19:04:20.806Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-01T17:17:43.792Z",
                "value": "Made public."
              }
            ],
            "title": "launch-editor: vite: launch-editor: Arbitrary command execution via insufficient file argument sanitization",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "launch-editor",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.9.0"
                }
              ]
            },
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-01T17:17:43.792Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/launch-editor/security/advisories/GHSA-c27g-q93r-2cwf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/launch-editor/security/advisories/GHSA-c27g-q93r-2cwf"
            },
            {
              "name": "https://github.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5e"
            }
          ],
          "source": {
            "advisory": "GHSA-c27g-q93r-2cwf",
            "discovery": "UNKNOWN"
          },
          "title": "launch-editor vulnerable to command injection via the crafted request on Windows"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-52011",
        "datePublished": "2026-06-01T17:17:43.792Z",
        "dateReserved": "2024-11-04T17:46:16.779Z",
        "dateUpdated": "2026-06-30T12:07:26.987Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-39365 (GCVE-0-2026-39365)

    Vulnerability from cvelistv5 – Published: 2026-04-07 19:13 – Updated: 2026-04-15 14:23
    VLAI
    Title
    Vite has a Path Traversal in Optimized Deps `.map` Handling
    Summary
    Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 8.0.0, < 8.0.5
    Affected: >= 7.0.0, < 7.3.2
    Affected: >= 6.0.0, < 6.4.2
    Create a notification for this product.
    vitejs vite-plus Affected: < 0.1.16
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39365",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T18:10:42.839064Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-15T14:23:24.501Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0, \u003c 8.0.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.3.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.2"
                }
              ]
            },
            {
              "product": "vite-plus",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.1.16"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server\u2019s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T19:13:50.927Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9"
            }
          ],
          "source": {
            "advisory": "GHSA-4w7w-66w2-5vf9",
            "discovery": "UNKNOWN"
          },
          "title": "Vite has a Path Traversal in Optimized Deps `.map` Handling"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39365",
        "datePublished": "2026-04-07T19:13:50.927Z",
        "dateReserved": "2026-04-06T21:29:17.349Z",
        "dateUpdated": "2026-04-15T14:23:24.501Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-39364 (GCVE-0-2026-39364)

    Vulnerability from cvelistv5 – Published: 2026-04-07 19:12 – Updated: 2026-06-30 12:09
    VLAI
    Title
    Vite has a `server.fs.deny` bypass with queries
    Summary
    Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize
    • CWE-284 - Improper Access Control
    • CWE-472 - External Control of Assumed-Immutable Web Parameter
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39364",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T20:01:48.579074Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T20:01:56.564Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Keycloak",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop - Tech Preview",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Advanced Cluster Security 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-07T19:12:47.577Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Vite, a frontend tooling framework for JavaScript. On the Vite development server, a remote attacker could exploit this vulnerability by appending specific query parameters, such as ?raw, to requests. This allows the attacker to bypass security restrictions and retrieve sensitive files, including environment variables (.env) and certificate files (*.crt), which should otherwise be blocked. This information disclosure could lead to further compromise of the system."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-472",
                    "description": "External Control of Assumed-Immutable Web Parameter",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:09:01.302Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-39364"
              },
              {
                "name": "RHBZ#2456181",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456181"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39364.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24866"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:24866: Red Hat Ansible Automation Platform 2.6"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-07T20:02:18.458Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-07T19:12:47.577Z",
                "value": "Made public."
              }
            ],
            "title": "vite: Vite: Information disclosure via query parameter manipulation on the development server",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0, \u003c 8.0.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.1.0, \u003c 7.3.2"
                }
              ]
            },
            {
              "product": "vite-plus",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.1.16"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import\u0026raw, or ?import\u0026url\u0026inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-180",
                  "description": "CWE-180: Incorrect Behavior Order: Validate Before Canonicalize",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T19:12:47.577Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r"
            }
          ],
          "source": {
            "advisory": "GHSA-v2wj-q39q-566r",
            "discovery": "UNKNOWN"
          },
          "title": "Vite has a `server.fs.deny` bypass with queries"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39364",
        "datePublished": "2026-04-07T19:12:47.577Z",
        "dateReserved": "2026-04-06T21:29:17.349Z",
        "dateUpdated": "2026-06-30T12:09:01.302Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-39363 (GCVE-0-2026-39363)

    Vulnerability from cvelistv5 – Published: 2026-04-07 19:10 – Updated: 2026-06-30 12:09
    VLAI
    Title
    Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket
    Summary
    Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-306 - Missing Authentication for Critical Function
    • CWE-1220 - Insufficient Granularity of Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 8.0.0, < 8.0.5
    Affected: >= 7.0.0, < 7.3.2
    Affected: >= 6.0.0, < 6.4.2
    Create a notification for this product.
    vitejs vite-plus Affected: < 0.1.16
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 8     cpe:/a:redhat:ansible_automation_platform:2.5::el8
        cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8
        cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 9     cpe:/a:redhat:ansible_automation_platform:2.5::el9
        cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9
        cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.6 for RHEL 9     cpe:/a:redhat:ansible_automation_platform:2.6::el9
        cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9
        cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.6     cpe:/a:redhat:ansible_automation_platform:2.6::el9
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2     cpe:/a:redhat:ansible_automation_platform:2
    Create a notification for this product.
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop     cpe:/a:redhat:podman_desktop:1
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop - Tech Preview     cpe:/a:redhat:podman_desktop:0
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.6 for RHEL 10     cpe:/a:redhat:ansible_automation_platform:2.6::el10
        cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10
    Create a notification for this product.
    Red Hat Red Hat Advanced Cluster Security 4     cpe:/a:redhat:advanced_cluster_security:4
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39363",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-08T17:52:54.234521Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-08T17:52:58.420Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8",
                  "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9",
                  "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.6::el9",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9",
                  "cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.6 for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Keycloak",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop - Tech Preview",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.6::el10",
                  "cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Ansible Automation Platform 2.6 for RHEL 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:advanced_cluster_security:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Advanced Cluster Security 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-07T19:10:44.916Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Vite, a frontend tooling framework. A remote attacker can exploit this vulnerability by connecting to the Vite development server\u0027s WebSocket without an Origin header. This allows the attacker to invoke the fetchModule function, enabling them to retrieve the contents of arbitrary files on the server. This information disclosure can lead to unauthorized access to sensitive data."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1220",
                    "description": "Insufficient Granularity of Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:09:01.953Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-39363"
              },
              {
                "name": "RHBZ#2456179",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456179"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39363.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24761"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24762"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24866"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:24761: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24762: Red Hat Ansible Automation Platform 2.6 for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24866: Red Hat Ansible Automation Platform 2.6"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-07T20:02:11.316Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-07T19:10:44.916Z",
                "value": "Made public."
              }
            ],
            "title": "Vite: Vite: Information disclosure via WebSocket connection bypasses access control",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0, \u003c 8.0.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.3.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.2"
                }
              ]
            },
            {
              "product": "vite-plus",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.1.16"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server\u2019s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default \"...\"). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T19:10:44.916Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583"
            }
          ],
          "source": {
            "advisory": "GHSA-p9ff-h696-f583",
            "discovery": "UNKNOWN"
          },
          "title": "Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39363",
        "datePublished": "2026-04-07T19:10:44.916Z",
        "dateReserved": "2026-04-06T21:29:17.349Z",
        "dateUpdated": "2026-06-30T12:09:01.953Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62522 (GCVE-0-2025-62522)

    Vulnerability from cvelistv5 – Published: 2025-10-20 19:57 – Updated: 2025-10-20 20:17
    VLAI
    Title
    vite allows server.fs.deny bypass via backslash on Windows
    Summary
    Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 7.1.0, < 7.1.11
    Affected: >= 7.0.0, < 7.0.8
    Affected: >= 6.0.0, < 6.4.1
    Affected: >= 5.2.6, < 5.4.21
    Affected: >= 4.5.3, < 5.0.0
    Affected: >= 3.2.9, < 4.0.0
    Affected: >= 2.9.18, < 3.0.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62522",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-20T20:16:51.209674Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-20T20:17:08.287Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 7.1.0, \u003c 7.1.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.0.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.4.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.2.6, \u003c 5.4.21"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.5.3, \u003c 5.0.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.2.9, \u003c 4.0.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.9.18, \u003c 3.0.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \\ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-20T19:57:13.188Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed"
            }
          ],
          "source": {
            "advisory": "GHSA-93m4-6634-74q7",
            "discovery": "UNKNOWN"
          },
          "title": "vite allows server.fs.deny bypass via backslash on Windows"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-62522",
        "datePublished": "2025-10-20T19:57:13.188Z",
        "dateReserved": "2025-10-15T15:03:28.135Z",
        "dateUpdated": "2025-10-20T20:17:08.287Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-58752 (GCVE-0-2025-58752)

    Vulnerability from cvelistv5 – Published: 2025-09-08 22:56 – Updated: 2025-09-09 13:29
    VLAI
    Title
    Vite's `server.fs` settings were not applied to HTML files
    Summary
    Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    vitejs vite Affected: < 5.4.20
    Affected: >= 6.0.0, < 6.3.6
    Affected: >= 7.0.0, < 7.0.7
    Affected: >= 7.1.0, < 7.1.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-58752",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-09T13:13:50.971669Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-09T13:29:30.868Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.20"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.3.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.0.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.1.0, \u003c 7.1.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: \u0027spa\u0027` (default) or `appType: \u0027mpa\u0027` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23: Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-08T22:56:58.039Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6"
            }
          ],
          "source": {
            "advisory": "GHSA-jqfw-vq24-v9c3",
            "discovery": "UNKNOWN"
          },
          "title": "Vite\u0027s `server.fs` settings were not applied to HTML files"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-58752",
        "datePublished": "2025-09-08T22:56:58.039Z",
        "dateReserved": "2025-09-04T19:18:09.499Z",
        "dateUpdated": "2025-09-09T13:29:30.868Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-58751 (GCVE-0-2025-58751)

    Vulnerability from cvelistv5 – Published: 2025-09-08 22:52 – Updated: 2025-09-09 13:29
    VLAI
    Title
    Vite middleware may serve files starting with the same name with the public directory
    Summary
    Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    vitejs vite Affected: < 5.4.20
    Affected: >= 6.0.0, < 6.3.6
    Affected: >= 7.0.0, < 7.0.7
    Affected: >= 7.1.0, < 7.1.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-58751",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-09T13:14:11.634879Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-09T13:29:36.802Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.4.20"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.3.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0, \u003c 7.0.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.1.0, \u003c 7.1.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-08T22:52:45.667Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c"
            },
            {
              "name": "https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0"
            }
          ],
          "source": {
            "advisory": "GHSA-g4jq-h2w9-997c",
            "discovery": "UNKNOWN"
          },
          "title": "Vite middleware may serve files starting with the same name with the public directory"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-58751",
        "datePublished": "2025-09-08T22:52:45.667Z",
        "dateReserved": "2025-09-04T19:18:09.499Z",
        "dateUpdated": "2025-09-09T13:29:36.802Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-46565 (GCVE-0-2025-46565)

    Vulnerability from cvelistv5 – Published: 2025-05-01 17:20 – Updated: 2025-05-02 17:38
    VLAI
    Title
    Vite's server.fs.deny bypassed with /. for files under project root
    Summary
    Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 6.3.0, < 6.3.4
    Affected: >= 6.2.0, < 6.2.7
    Affected: >= 6.0.0, < 6.1.6
    Affected: >= 5.0.0, < 5.4.19
    Affected: < 4.5.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-46565",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-02T17:38:51.291423Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-02T17:38:55.291Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.3.0, \u003c 6.3.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.2.0, \u003c 6.2.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.1.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.4.19"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.5.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-01T17:20:29.773Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb"
            }
          ],
          "source": {
            "advisory": "GHSA-859w-5945-r5v3",
            "discovery": "UNKNOWN"
          },
          "title": "Vite\u0027s server.fs.deny bypassed with /. for files under project root"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-46565",
        "datePublished": "2025-05-01T17:20:29.773Z",
        "dateReserved": "2025-04-24T21:10:48.174Z",
        "dateUpdated": "2025-05-02T17:38:55.291Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-32395 (GCVE-0-2025-32395)

    Vulnerability from cvelistv5 – Published: 2025-04-10 13:25 – Updated: 2025-04-10 14:14
    VLAI
    Title
    Vite has an `server.fs.deny` bypass with an invalid `request-target`
    Summary
    Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2. On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) and running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) are affected. This vulnerability is fixed in 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 6.2.0, < 6.2.6
    Affected: >= 6.1.0, < 6.1.5
    Affected: >= 6.0.0, < 6.0.15
    Affected: >= 5.0.0, < 5.4.18
    Affected: < 4.5.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32395",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-10T14:14:30.473382Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-10T14:14:40.591Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.2.0, \u003c 6.2.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0, \u003c 6.1.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.4.18"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.5.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2. On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won\u0027t contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) and running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) are affected. This vulnerability is fixed in 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-10T13:25:19.177Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/175a83909f02d3b554452a7bd02b9f340cdfef70",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/175a83909f02d3b554452a7bd02b9f340cdfef70"
            }
          ],
          "source": {
            "advisory": "GHSA-356w-63v5-8wf4",
            "discovery": "UNKNOWN"
          },
          "title": "Vite has an `server.fs.deny` bypass with an invalid `request-target`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-32395",
        "datePublished": "2025-04-10T13:25:19.177Z",
        "dateReserved": "2025-04-06T19:46:02.464Z",
        "dateUpdated": "2025-04-10T14:14:40.591Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-31486 (GCVE-0-2025-31486)

    Vulnerability from cvelistv5 – Published: 2025-04-03 18:24 – Updated: 2025-04-03 20:39
    VLAI
    Title
    Vite allows server.fs.deny to be bypassed with .svg or relative paths
    Summary
    Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    vitejs vite Affected: < 4.5.12
    Affected: >=5.0.0, < 5.4.17
    Affected: >=6.0.0, < 6.0.14
    Affected: >=6.1.0, < 6.1.4
    Affected: >=6.2.0, < 6.2.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31486",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-03T20:39:24.672022Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T20:39:28.939Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.5.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e=5.0.0, \u003c 5.4.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e=6.0.0, \u003c 6.0.14"
                },
                {
                  "status": "affected",
                  "version": "\u003e=6.1.0, \u003c 6.1.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e=6.2.0, \u003c 6.2.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-03T18:24:39.616Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647"
            },
            {
              "name": "https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290"
            }
          ],
          "source": {
            "advisory": "GHSA-xcj6-pq6g-qj4x",
            "discovery": "UNKNOWN"
          },
          "title": "Vite allows server.fs.deny to be bypassed with .svg or relative paths"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-31486",
        "datePublished": "2025-04-03T18:24:39.616Z",
        "dateReserved": "2025-03-28T13:36:51.298Z",
        "dateUpdated": "2025-04-03T20:39:28.939Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-31125 (GCVE-0-2025-31125)

    Vulnerability from cvelistv5 – Published: 2025-03-31 17:06 – Updated: 2026-01-23 16:58
    VLAI CISA KEVIntel
    Title
    Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
    Summary
    Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
    SSVC
    Exploitation: active Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 6.2.0, < 6.2.4
    Affected: >= 6.1.0, < 6.1.3
    Affected: >= 6.0.0, < 6.0.13
    Affected: >= 5.0.0, < 5.4.16
    Affected: < 4.5.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31125",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-23T16:58:33.096334Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2026-01-22",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31125"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-23T16:58:37.048Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8"
              },
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31125"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.2.0, \u003c 6.2.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0, \u003c 6.1.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.4.16"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.5.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline\u0026import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-31T17:31:51.583Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949"
            }
          ],
          "source": {
            "advisory": "GHSA-4r4m-qw57-chr8",
            "discovery": "UNKNOWN"
          },
          "title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-31125",
        "datePublished": "2025-03-31T17:06:30.704Z",
        "dateReserved": "2025-03-26T15:04:52.626Z",
        "dateUpdated": "2026-01-23T16:58:37.048Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-30208 (GCVE-0-2025-30208)

    Vulnerability from cvelistv5 – Published: 2025-03-24 17:03 – Updated: 2025-03-24 17:46
    VLAI KEVIntel
    Title
    Vite bypasses server.fs.deny when using `?raw??`
    Summary
    Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    vitejs vite Affected: < 4.5.10
    Affected: >= 5.0.0, < 5.4.15
    Affected: >= 6.0.0, < 6.0.12
    Affected: >= 6.1.0, < 6.1.2
    Affected: >= 6.2.0, < 6.2.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30208",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T17:40:42.736527Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T17:46:37.205Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.5.10"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.4.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0, \u003c 6.1.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 6.2.0, \u003c 6.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import\u0026raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-24T17:03:40.728Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca"
            },
            {
              "name": "https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1"
            }
          ],
          "source": {
            "advisory": "GHSA-x574-m823-4x7w",
            "discovery": "UNKNOWN"
          },
          "title": "Vite bypasses server.fs.deny when using `?raw??`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-30208",
        "datePublished": "2025-03-24T17:03:40.728Z",
        "dateReserved": "2025-03-18T18:15:13.849Z",
        "dateUpdated": "2025-03-24T17:46:37.205Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24010 (GCVE-0-2025-24010)

    Vulnerability from cvelistv5 – Published: 2025-01-20 15:53 – Updated: 2025-01-21 14:52
    VLAI
    Title
    Vite allows any websites to send any requests to the development server and read the response
    Summary
    Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-346 - Origin Validation Error
    • CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action
    • CWE-1385 - Missing Origin Validation in WebSockets
    Assigner
    References
    Impacted products
    Vendor Product Version
    vitejs vite Affected: >= 6.0.0, < 6.0.9
    Affected: >= 5.0.0, < 5.4.12
    Affected: < 4.5.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24010",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-21T14:52:46.258360Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-21T14:52:53.680Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vite",
              "vendor": "vitejs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.0.0, \u003c 6.0.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.5.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346: Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-350",
                  "description": "CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1385",
                  "description": "CWE-1385: Missing Origin Validation in WebSockets",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-20T15:53:30.929Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6"
            }
          ],
          "source": {
            "advisory": "GHSA-vg6x-rcgg-rjx6",
            "discovery": "UNKNOWN"
          },
          "title": "Vite allows any websites to send any requests to the development server and read the response"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-24010",
        "datePublished": "2025-01-20T15:53:30.929Z",
        "dateReserved": "2025-01-16T17:31:06.457Z",
        "dateUpdated": "2025-01-21T14:52:53.680Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }