CVE-2025-24010

Name of the Vulnerable Software and Affected Versions Vite versions prior to 6.0.9 Vite versions prior to 5.4.12 Vite versions prior to 4.5.6

Description Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This issue is caused by three factors: permissive default CORS settings, lack of validation on the Origin header for WebSocket connections, and lack of validation on the Host header for HTTP requests. Attackers can exploit these vulnerabilities to steal source code, access functionalities not supposed to be exposed externally, and exploit functionalities triggered by messages over WebSocket.

Recommendations For versions prior to 6.0.9, update to version 6.0.9 or later. For versions prior to 5.4.12, update to version 5.4.12 or later. For versions prior to 4.5.6, update to version 4.5.6 or later. As a temporary workaround, consider setting server.cors to false or limiting server.cors.origin to trusted origins. For users using the backend integration feature, add the origin of the backend server to the server.cors.origin option. For users using a reverse proxy in front of Vite, add the hostname to the new server.allowedHosts option. For users accessing the development server via a domain other than localhost or *.localhost, add the hostname to the server.allowedHosts option. For users using a plugin or framework that connects to the WebSocket server on their own from the browser, try upgrading to a newer version of Vite that fixes the vulnerability or set legacy.skipWebSocketTokenCheck: true to opt-out of the fix.