Description

Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.

INFO

Published Date :

2025-10-20T19:57:13.188Z

Last Modified :

2025-10-20T20:17:08.287Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-62522 vulnerability.

Vendors Products
Microsoft
  • Windows
Vitejs
  • Vite
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-62522.

URL Resource
https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed cve-icon cve-icon cve-icon
https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-62522 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-62522 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact