Description

Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.

INFO

Published Date :

2025-05-01T17:20:29.773Z

Last Modified :

2025-05-02T17:38:55.291Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-46565 vulnerability.

Vendors Products
Vitejs
  • Vite
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-46565.

URL Resource
https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb cve-icon cve-icon cve-icon
https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3 cve-icon cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-46565 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-46565 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact