pkg:npm/vite

20 total CVEsHIGH3MEDIUM8

✅ Check your installed version

All known vulnerabilities

  • MEDIUM5.3CVE-2025-31125⚠ KEVVite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
    >= 6.2.0, < 6.2.4
  • HIGH8.6CVE-2022-35204Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service
    from 0, < 2.9.13
  • HIGH7.5CVE-2024-23331Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
    >= 2.7.0, < 2.9.17
  • HIGH7.5CVE-2023-34092Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
    from 0, < 2.9.16
  • MEDIUM6.5CVE-2025-24010Websites were able to send any requests to the development server and read the response in vite
    >= 6.0.0, < 6.0.9
  • MEDIUM6.4CVE-2024-45812Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
    >= 5.4.0, < 5.4.6
  • MEDIUM6.1CVE-2023-49293Vite XSS vulnerability in `server.transformIndexHtml` via URL payload
    >= 4.4.0, < 4.4.12
  • MEDIUM5.9CVE-2024-31207Vite's `server.fs.deny` did not deny requests for patterns with directories.
    >= 2.7.0, < 2.9.18
  • MEDIUM5.3CVE-2025-31486Vite allows server.fs.deny to be bypassed with .svg or relative paths
    >= 6.2.0, < 6.2.5
  • MEDIUM5.3CVE-2025-30208Vite bypasses server.fs.deny when using ?raw??
    >= 6.2.0, < 6.2.3
  • MEDIUM5.3CVE-2024-45811Vite's `server.fs.deny` is bypassed when using `?import&raw`
    >= 5.4.0, < 5.4.6
  • CVE-2024-52011launch-editor vulnerable to command injection via the crafted request on Windows
    from 0, < 5.4.9
  • CVE-2026-39365Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
    >= 8.0.0, < 8.0.5
  • CVE-2026-39364Vite: `server.fs.deny` bypassed with queries
    >= 8.0.0, < 8.0.5
  • CVE-2026-39363Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
    >= 8.0.0, < 8.0.5
  • CVE-2025-62522vite allows server.fs.deny bypass via backslash on Windows
    >= 7.1.0, < 7.1.11
  • CVE-2025-58751Vite middleware may serve files starting with the same name with the public directory
    >= 7.1.0, < 7.1.5
  • CVE-2025-58752Vite's `server.fs` settings were not applied to HTML files
    >= 7.1.0, < 7.1.5
  • CVE-2025-46565Vite's server.fs.deny bypassed with /. for files under project root
    >= 6.3.0, < 6.3.4
  • CVE-2025-32395Vite has an `server.fs.deny` bypass with an invalid `request-target`
    >= 6.2.0, < 6.2.6