CVE-2025-62522

Name of the Vulnerable Software and Affected Versions Vite versions 2.9.18 through 3.0.0 Vite versions 3.2.9 through 4.0.0 Vite versions 4.5.3 through 5.0.0 Vite versions 5.2.6 through 5.4.21 Vite versions 6.0.0 through 6.4.1 Vite versions 7.0.0 through 7.0.8 Vite versions 7.1.0 through 7.1.11

Description Vite is a frontend tooling framework for JavaScript. A flaw exists where files restricted by server.fs.deny could be accessed if the URL ended with a backslash (``) when the development server was running on Windows. This issue only affects applications that explicitly expose the Vite development server to the network and are running the server on Windows. The root cause is related to how fs.readFile() handles file paths. The vulnerability can be exploited by crafting a URL with a trailing backslash to bypass the file access restrictions defined in server.fs.deny. A proof-of-concept demonstrates accessing a .env file containing sensitive information using a curl request with a specially crafted URL.

Recommendations Update to Vite version 5.4.21 or later. Update to Vite version 6.4.1 or later. Update to Vite version 7.0.8 or later. Update to Vite version 7.1.11 or later.