vite@5.4.3 vulnerabilities

Native-ESM powered web dev build tool

latest version

5.4.10
latest non vulnerable version

6.0.0-beta.8
first published

5 years ago
latest version published

11 days ago
licenses detected
- MIT
  >=0
View vite package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the vite package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Information Exposure vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Information Exposure when using `?import&raw` in the URL parameters. An attacker can access file contents that should be restricted by exploiting this bypass mechanism. How to fix Information Exposure? Upgrade `vite` to version 3.2.11, 4.5.5, 5.2.14, 5.3.6, 5.4.6 or higher.	<3.2.11 >=4.0.0 <4.5.5 >=5.0.0 <5.2.14 >=5.3.0 <5.3.6 >=5.4.0 <5.4.6
L Cross-site Scripting (XSS) vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the `document.currentScript` lookup mechanism when building scripts to `cjs`/`iife`/`umd` output format. This vulnerability is exploitable on websites that allow users to inject certain scriptless HTML tags without properly sanitizing the `name` or `id` attributes. How to fix Cross-site Scripting (XSS)? Upgrade `vite` to version 3.2.11, 4.5.5, 5.2.14, 5.3.6, 5.4.6 or higher.	<3.2.11 >=4.0.0 <4.5.5 >=5.0.0 <5.2.14 >=5.3.0 <5.3.6 >=5.4.0 <5.4.6

Information Exposure

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Information Exposure when using ?import&raw in the URL parameters. An attacker can access file contents that should be restricted by exploiting this bypass mechanism.

How to fix Information Exposure?

Upgrade vite to version 3.2.11, 4.5.5, 5.2.14, 5.3.6, 5.4.6 or higher.

<3.2.11 >=4.0.0 <4.5.5 >=5.0.0 <5.2.14 >=5.3.0 <5.3.6 >=5.4.0 <5.4.6

Cross-site Scripting (XSS)

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the document.currentScript lookup mechanism when building scripts to cjs/iife/umd output format. This vulnerability is exploitable on websites that allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

How to fix Cross-site Scripting (XSS)?

Upgrade vite to version 3.2.11, 4.5.5, 5.2.14, 5.3.6, 5.4.6 or higher.

<3.2.11 >=4.0.0 <4.5.5 >=5.0.0 <5.2.14 >=5.3.0 <5.3.6 >=5.4.0 <5.4.6

Go back to all versions of this package

vite@5.4.3 vulnerabilities

Native-ESM powered web dev build tool

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities