vite@2.7.8 vulnerabilities

Native-ESM powered web dev build tool

Direct Vulnerabilities

Known vulnerabilities in the vite package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Information Exposure

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Information Exposure when using ?import&raw in the URL parameters. An attacker can access file contents that should be restricted by exploiting this bypass mechanism.

How to fix Information Exposure?

Upgrade vite to version 3.2.11, 4.5.5, 5.2.14, 5.3.6, 5.4.6 or higher.

<3.2.11 >=4.0.0 <4.5.5 >=5.0.0 <5.2.14 >=5.3.0 <5.3.6 >=5.4.0 <5.4.6
  • L
Cross-site Scripting (XSS)

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the document.currentScript lookup mechanism when building scripts to cjs/iife/umd output format. This vulnerability is exploitable on websites that allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

How to fix Cross-site Scripting (XSS)?

Upgrade vite to version 3.2.11, 4.5.5, 5.2.14, 5.3.6, 5.4.6 or higher.

<3.2.11 >=4.0.0 <4.5.5 >=5.0.0 <5.2.14 >=5.3.0 <5.3.6 >=5.4.0 <5.4.6
  • M
Improper Access Control

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Improper Access Control due to improper request handling through server.fs.deny configuration, which fails to deny requests for patterns with directories. This misconfiguration allows an attacker to bypass intended access restrictions and retrieve sensitive files from the server by crafting specific requests.

Note:

Only apps setting a custom server.fs.deny that includes a pattern with directories and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

How to fix Improper Access Control?

Upgrade vite to version 2.9.18, 3.2.10, 4.5.3, 5.0.13, 5.1.7, 5.2.6 or higher.

>=2.7.0 <2.9.18 >=3.0.0 <3.2.10 >=4.0.0 <4.5.3 >=5.0.0 <5.0.13 >=5.1.0 <5.1.7 >=5.2.0 <5.2.6
  • H
Access Control Bypass

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Access Control Bypass via the server.fs.deny option. An attacker can gain access to sensitive files by requesting raw filesystem paths using case-augmented versions of filenames. This is only exploitable if the server is hosted on a case-insensitive filesystem, including those used by Windows.

How to fix Access Control Bypass?

Upgrade vite to version 2.9.17, 3.2.8, 4.5.2, 5.0.12 or higher.

>=2.7.0 <2.9.17 >=3.0.0 <3.2.8 >=4.0.0 <4.5.2 >=5.0.0 <5.0.12
  • H
Path Equivalence

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Path Equivalence such that Server Options (server.fs.deny) can be bypassed using double forward-slash (//) allowing any unauthenticated user to read files from the Vite root-path of the application including the default fs.deny settings (['.env', '.env.*', '*.{crt,pem}']).

Note:

Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the immediate Vite project root folder could be exposed.

How to fix Path Equivalence?

Upgrade vite to version 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, 4.3.9 or higher.

<2.9.16 >=3.0.0 <3.2.7 >=4.0.0 <4.0.5 >=4.1.0 <4.1.5 >=4.2.0 <4.2.3 >=4.3.0 <4.3.9
  • H
Directory Traversal

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Directory Traversal. It allows attackers to perform a directory traversal via a crafted URL to the victim's service.

How to fix Directory Traversal?

Upgrade vite to version 2.9.13 or higher.

<2.9.13