CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-24010: Vite allows any websites to send any requests to the development server and read the response

6.5 CVSS

Description

Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.

Classification

CVE ID: CVE-2025-24010

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.5

Affected Products

Vendor: vitejs

Product: vite

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.68% (scored less or equal to compared to others)

EPSS Date: 2025-02-18 (when was this score calculated)

References

https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6

Timeline

2025-01-21 00:33:23 UTC
CVE

Vite allows any websites to send any requests to the development server and read the response
2025-01-21 20:15:25 UTC
Github Advisory Database (NPM)

[vite] Websites were able to send any requests to the development server and read the response in vite