CVE-2025-46565: Vite's server.fs.deny bypassed with /. for files under project root
Description
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
Classification
CVE ID: CVE-2025-46565
CVSS Base Severity: MEDIUM
CVSS Base Score: 6.0
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Problem Types
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Affected Products
Vendor: vitejs
Product: vite
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.07% (probability of being exploited)
EPSS Percentile: 21.74% (scored less or equal to compared to others)
EPSS Date: 2025-05-30 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-46565https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3
https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb