Vite
Easy fix7 remedies
cpe:2.3:a:vitejs:vite:*:*:*:*:node.js:*:*
Easy fix7 remedies
- >= 6.2.0, <= 6.2.5
- >= 6.1.0, <= 6.1.4
- >= 6.0.0, <= 6.0.14
- >= 5.0.0, <= 5.4.17
- <= 4.5.12
Vite Request-Target Bypass Vulnerability Allowing Arbitrary File Access
Vulnerability
Patched
A vulnerability in Vite, a frontend tooling framework for JavaScript, allows the contents of arbitrary files to be accessed through the browser. This issue affects Vite versions 6.2.0 prior to 6.2.6, 6.1.0 prior to 6.1.5, 6.0.0 prior to 6.0.15, 5.0.0 prior to 5.4.18, and 4.5.0 prior to 4.5.13. The vulnerability arises when the development server is exposed to the network and running on Node or Bun, bypassing the 'server.fs.deny' check by exploiting an invalid request-target that includes a '#' character, which is not allowed by HTTP specifications.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, such as the passwd file in Unix-based systems.
Reproduction
To reproduce this vulnerability, create a new Vite project and run the development server while explicitly exposing it to the network. Then, send a request that includes a '#' in the request-target to bypass the file system denial check and access arbitrary files.
Remediation
Users can update to Vite versions 6.2.6, 6.1.5, 6.0.15, 5.4.18, or 4.5.13 to address this vulnerability.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
4.5impact
2.5exploitability
6.9remediation
8.3relevance
0.0threat
4.9urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.