Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in org.webjars.npm:vite
CVE-2025-46565
- org.webjars.npm:vite
- vite
Summary
Vite is a frontend tooling framework for javascript. In vite package versions through 4.5.13, 5.0.0-beta.0 through 5.4.18, 6.0.0-alpha.0 through 6.1.5, 6.2.0-beta.0 through 6.2.6, and 6.3.0-beta.0 through 6.3.3 the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using the `--host` or `server.host` config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt, pem}` as such patterns). These patterns were able to bypass files under `root` by using a combination of slash and dot (`/.`).
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- LOW
- NONE
CWE-22 - Path Traversal
Path traversal (or directory traversal), is a vulnerability that allows malicious users to traverse the server's root directory, gaining access to arbitrary files and folders such as application code & data, back-end credentials, and sensitive operating system files. In the worst-case scenario, an attacker could potentially execute arbitrary files on the server, resulting in a denial of service attack. Such an exploit may severely impact the integrity, confidentiality, and availability of an application.
References
Advisory Timeline
- Published
