cve-2025-46565
Vulnerability from cvelistv5
Published
2025-05-01 17:20
Modified
2025-05-02 17:38
Severity ?
6.0 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Vite's server.fs.deny bypassed with /. for files under project root
References
security-advisories@github.comhttps://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb
security-advisories@github.comhttps://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3
Impacted products
vitejsvite
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46565",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-02T17:38:51.291423Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-02T17:38:55.291Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vite",
          "vendor": "vitejs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 6.3.0, \u003c 6.3.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 6.2.0, \u003c 6.2.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 6.0.0, \u003c 6.1.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.4.19"
            },
            {
              "status": "affected",
              "version": "\u003c 4.5.14"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-01T17:20:29.773Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3"
        },
        {
          "name": "https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb"
        }
      ],
      "source": {
        "advisory": "GHSA-859w-5945-r5v3",
        "discovery": "UNKNOWN"
      },
      "title": "Vite\u0027s server.fs.deny bypassed with /. for files under project root"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-46565",
    "datePublished": "2025-05-01T17:20:29.773Z",
    "dateReserved": "2025-04-24T21:10:48.174Z",
    "dateUpdated": "2025-05-02T17:38:55.291Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-46565\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-01T18:15:57.797\",\"lastModified\":\"2025-05-02T18:15:27.060\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.\"},{\"lang\":\"es\",\"value\":\"Vite es un framework de herramientas frontend para JavaScript. En versiones anteriores a las 6.3.4, 6.2.7, 6.1.6, 5.4.19 y 4.5.14, el contenido de los archivos en la root del proyecto que se deniegan por un patr\u00f3n de coincidencia de archivos se puede devolver al navegador. Solo las aplicaciones que exponen expl\u00edcitamente el servidor de desarrollo de Vite a la red (mediante la opci\u00f3n de configuraci\u00f3n --host o server.host) se ven afectadas. Solo se pueden omitir los archivos que se encuentran en la root del proyecto y se deniegan por un patr\u00f3n de coincidencia de archivos. `server.fs.deny` puede contener patrones que coinciden con archivos (por defecto, incluye .env, .env.*, *.{crt,pem} como tales patrones). Estos patrones se pod\u00edan omitir para los archivos en `root` mediante una combinaci\u00f3n de barra diagonal y punto (/.). Este problema se ha solucionado en las versiones 6.3.4, 6.2.7, 6.1.6, 5.4.19 y 4.5.14.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.