CVE-2025-46565

Name of the Vulnerable Software and Affected Versions Vite versions prior to 6.3.4 Vite versions prior to 6.2.7 Vite versions prior to 6.1.6 Vite versions prior to 5.4.19 Vite versions prior to 4.5.14

Description The issue concerns Vite, a frontend tooling framework for JavaScript. In affected versions, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only applications that explicitly expose the Vite dev server to the network are affected. The server.fs.deny configuration can contain patterns matching against files, such as .env, .env.*, and *.{crt,pem}. These patterns can be bypassed for files under the project root using a combination of slash and dot (/.).

Recommendations To resolve the issue, update to version 6.3.4 or later. To resolve the issue, update to version 6.2.7 or later. To resolve the issue, update to version 6.1.6 or later. To resolve the issue, update to version 5.4.19 or later. To resolve the issue, update to version 4.5.14 or later.