MEDIUM5.3CVE-2025-31125⚠ KEVVite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query >= 6.2.0, < 6.2.4
HIGH8.6CVE-2022-35204Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service from 0, < 2.9.13
HIGH7.5CVE-2024-23331Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem >= 2.7.0, < 2.9.17
HIGH7.5Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
from 0, < 2.9.16
MEDIUM6.5Websites were able to send any requests to the development server and read the response in vite
>= 6.0.0, < 6.0.9
MEDIUM6.4Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
>= 5.4.0, < 5.4.6
MEDIUM6.1Vite XSS vulnerability in `server.transformIndexHtml` via URL payload
>= 4.4.0, < 4.4.12
MEDIUM5.9Vite's `server.fs.deny` did not deny requests for patterns with directories.
>= 2.7.0, < 2.9.18
MEDIUM5.3Vite allows server.fs.deny to be bypassed with .svg or relative paths
>= 6.2.0, < 6.2.5
MEDIUM5.3Vite bypasses server.fs.deny when using ?raw??
>= 6.2.0, < 6.2.3
MEDIUM5.3Vite's `server.fs.deny` is bypassed when using `?import&raw`
>= 5.4.0, < 5.4.6
—launch-editor vulnerable to command injection via the crafted request on Windows
from 0, < 5.4.9
—Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
>= 8.0.0, < 8.0.5
—Vite: `server.fs.deny` bypassed with queries
>= 8.0.0, < 8.0.5
—Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
>= 8.0.0, < 8.0.5
—vite allows server.fs.deny bypass via backslash on Windows
>= 7.1.0, < 7.1.11
—Vite middleware may serve files starting with the same name with the public directory
>= 7.1.0, < 7.1.5
—Vite's `server.fs` settings were not applied to HTML files
>= 7.1.0, < 7.1.5
—Vite's server.fs.deny bypassed with /. for files under project root
>= 6.3.0, < 6.3.4
—Vite has an `server.fs.deny` bypass with an invalid `request-target`
>= 6.2.0, < 6.2.6