Missing Origin Validation in WebSockets

CVE-2025-24010

Medium

6.5/10

Summary

Vite is a frontend tooling framework for JavaScript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in versions 6.0.9, 5.4.12, and 4.5.6.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-1385 - Missing Origin Validation in WebSockets

The software uses a WebSocket, but it does not properly verify that the source of data or communication is valid.

References

Advisory
Pull request

Advisory Timeline

Published Jan 20, 2025

Missing Origin Validation in WebSockets

CVE-2025-24010

Summary

CWE-1385 - Missing Origin Validation in WebSockets

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS