CVE-2025-46565 Information

Description

Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4 6.2.7 6.1.6 5.4.19 and 4.5.14 the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using –host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. server.fs.deny can contain patterns matching against files (by default it includes .env .env. .crtpem as such patterns). These patterns were able to bypass for files under root by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4 6.2.7 6.1.6 5.4.19 and 4.5.14.

Reference

https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3