CVE-2025-46565 – vite

Package

Manager: npm
Name: vite
Vulnerable Version: >=6.3.0 <6.3.4 || >=6.2.0 <6.2.7 || >=6.0.0 <6.1.6 || >=5.0.0 <5.4.19 || >=0 <4.5.14

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00079 pctl0.23983

Details

Vite's server.fs.deny bypassed with /. for files under project root ### Summary The contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching pattern can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. Only files that are under [project `root`](https://vite.dev/config/shared-options.html#root) and are denied by a file matching pattern can be bypassed. - Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`, `**/.env` - Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*` ### Details [`server.fs.deny`](https://vite.dev/config/server-options.html#server-fs-deny) can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (`/.`). ### PoC ``` npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env/. http://localhost:5173 ```  

Metadata

Created: 2025-04-30T17:40:27Z
Modified: 2025-05-02T15:33:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-859w-5945-r5v3/GHSA-859w-5945-r5v3.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-859w-5945-r5v3
Finding: F063
Auto approve: 1