Homepage

vite@4.5.11 vulnerabilities

Native-ESM powered web dev build tool

  • latest version

    7.1.10

  • latest non vulnerable version

    7.1.10

  • first published

    5 years ago

  • latest version published

    1 days ago

  • licenses detected

  • View vite package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the vite package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • L
    Relative Path Traversal

    vite is a Native-ESM powered web dev build tool

    Affected versions of this package are vulnerable to Relative Path Traversal via improper enforcement of server.fs settings. An attacker can access arbitrary HTML files on the server by sending crafted requests to the preview server.

    Note: This is only exploitable if the server is explicitly exposed to the network using the --host flag or the server.host configuration option, and the application uses appType set to 'spa' (default) or 'mpa'.

    How to fix Relative Path Traversal?

    Upgrade vite to version 5.4.20, 6.3.6, 7.0.7, 7.1.5 or higher.

    <5.4.20>=6.0.0 <6.3.6>=7.0.0 <7.0.7>=7.1.0 <7.1.5
    • M
    Directory Traversal

    vite is a Native-ESM powered web dev build tool

    Affected versions of this package are vulnerable to Directory Traversal through the server.fs.deny configuration due to improper input sanitization. An attacker can bypass server.fs.deny with /. for files under project root and access sensitive files by manipulating path traversal sequences.

    Note:

    This is only exploitable if the application is explicitly exposing the Vite dev server to the network (using --host or server.host config option). Only files that are under project root and are denied by a file matching pattern can be bypassed.

    How to fix Directory Traversal?

    Upgrade vite to version 4.5.14, 5.4.19, 6.1.6, 6.2.7, 6.3.4 or higher.

    <4.5.14>=5.0.0 <5.4.19>=6.0.0 <6.1.6>=6.2.0 <6.2.7>=6.3.0 <6.3.4
    • M
    Information Exposure

    vite is a Native-ESM powered web dev build tool

    Affected versions of this package are vulnerable to Information Exposure due to the handling of req.url which may contain unexpected characters such as #. An attacker can access and retrieve the contents of arbitrary files by sending specially crafted requests that bypass the server.fs.deny checks.

    Note:

    This is only exploitable if the Vite dev server is explicitly exposed to the network and running on Node or Bun runtimes, excluding Deno.

    How to fix Information Exposure?

    Upgrade vite to version 4.5.13, 5.4.18, 6.0.15, 6.1.5, 6.2.6 or higher.

    <4.5.13>=5.0.0 <5.4.18>=6.0.0 <6.0.15>=6.1.0 <6.1.5>=6.2.0 <6.2.6
    • H
    Incorrect Authorization

    vite is a Native-ESM powered web dev build tool

    Affected versions of this package are vulnerable to Incorrect Authorization via the bypass of the server.fs.deny restriction. An attacker can access restricted files by appending ?.svg with ?.wasm?init or with sec-fetch-dest: script header to the requests.

    Note:

    This is only exploitable if the file is smaller than the build.assetsInlineLimit (default: 4kB), when using Vite 6.0+ and when the Vite dev server is explicitly exposed to the network (using --host or server.host config option.

    How to fix Incorrect Authorization?

    Upgrade vite to version 4.5.12, 5.4.17, 6.0.14, 6.1.4, 6.2.5 or higher.

    <4.5.12>=5.0.0 <5.4.17>=6.0.0 <6.0.14>=6.1.0 <6.1.4>=6.2.0 <6.2.5
    Go back to all versions of this package