Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

vitejs — Vulnerabilities & Security Advisories 20

Browse all 20 CVE security advisories affecting vitejs. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Vitejs is a modern build tool and development server primarily designed to accelerate frontend web application development by leveraging native ES modules. While it serves as a critical infrastructure component for numerous JavaScript frameworks, its role as a dependency injection mechanism exposes downstream projects to supply chain risks. Historical vulnerability records indicate a prevalence of issues related to path traversal and arbitrary file read vulnerabilities, stemming from improper handling of user-supplied input in development server endpoints. Although Remote Code Execution (RCE) is less common, the potential for privilege escalation exists if the tool runs with elevated permissions during the build process. Notable incidents have highlighted the importance of strict input validation within the development environment. With twenty recorded CVEs, maintaining up-to-date versions is essential to mitigate risks associated with outdated dependency trees and potential exploitation of server-side logic flaws.

Top products by vitejs: vite vite-plugin-react
CVE IDTitleCVSSSeverityPublished
CVE-2026-39365 Vite has a Path Traversal in Optimized Deps `.map` Handling — viteCWE-22 4.3 -2026-04-07
CVE-2026-39364 Vite has a `server.fs.deny` bypass with queries — viteCWE-180 7.5 -2026-04-07
CVE-2026-39363 Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket — viteCWE-200 7.5 -2026-04-07
CVE-2025-68155 @vitejs/plugin-rsc has Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint on Development — vite-plugin-reactCWE-22 7.5 High2025-12-16
CVE-2025-67489 @vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server — vite-plugin-reactCWE-94 9.8 Critical2025-12-09
CVE-2025-62522 vite allows server.fs.deny bypass via backslash on Windows — viteCWE-22 7.5AIHighAI2025-10-20
CVE-2025-58752 Vite's `server.fs` settings were not applied to HTML files — viteCWE-23 4.7AIMediumAI2025-09-08
CVE-2025-58751 Vite middleware may serve files starting with the same name with the public directory — viteCWE-22 5.3AIMediumAI2025-09-08
CVE-2025-46565 Vite's server.fs.deny bypassed with /. for files under project root — viteCWE-22 6.5AIMediumAI2025-05-01
CVE-2025-32395 Vite has an `server.fs.deny` bypass with an invalid `request-target` — viteCWE-200 7.5AIHighAI2025-04-10
CVE-2025-31486 Vite allows server.fs.deny to be bypassed with .svg or relative paths — viteCWE-200 5.3 Medium2025-04-03
CVE-2025-31125 Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query — viteCWE-200 5.3 Medium2025-03-31
CVE-2025-30208 Vite bypasses server.fs.deny when using `?raw??` — viteCWE-200 5.3 Medium2025-03-24
CVE-2025-24010 Vite allows any websites to send any requests to the development server and read the response — viteCWE-346 6.5 Medium2025-01-20
CVE-2024-45812 DOM Clobbering gadget found in vite bundled scripts that leads to XSS in Vite — viteCWE-79 6.4 Medium2024-09-17
CVE-2024-45811 server.fs.deny bypassed when using ?import&raw in vite — viteCWE-200 4.8 Medium2024-09-17
CVE-2024-31207 Vite's `server.fs.deny` did not deny requests for patterns with directories — viteCWE-200 5.9 Medium2024-04-04
CVE-2024-23331 Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem — viteCWE-178 7.5 High2024-01-19
CVE-2023-49293 Cross-site Scripting in `server.transformIndexHtml` via URL payload in vite — viteCWE-79 6.1 Medium2023-12-04
CVE-2023-34092 Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) — viteCWE-50 7.5 High2023-06-01

This page lists every published CVE security advisory associated with vitejs. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.