Vulnerability	Vulnerable Version
M Information Exposure vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Information Exposure due to the handling of `req.url` which may contain unexpected characters such as `#`. An attacker can access and retrieve the contents of arbitrary files by sending specially crafted requests that bypass the `server.fs.deny` checks. Note: This is only exploitable if the Vite dev server is explicitly exposed to the network and running on Node or Bun runtimes, excluding Deno. How to fix Information Exposure? Upgrade `vite` to version 4.5.13, 5.4.18, 6.0.15, 6.1.5, 6.2.6 or higher.	<4.5.13>=5.0.0 <5.4.18>=6.0.0 <6.0.15>=6.1.0 <6.1.5>=6.2.0 <6.2.6

Information Exposure

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Information Exposure due to the handling of req.url which may contain unexpected characters such as #. An attacker can access and retrieve the contents of arbitrary files by sending specially crafted requests that bypass the server.fs.deny checks.

Note:

This is only exploitable if the Vite dev server is explicitly exposed to the network and running on Node or Bun runtimes, excluding Deno.

How to fix Information Exposure?

Upgrade vite to version 4.5.13, 5.4.18, 6.0.15, 6.1.5, 6.2.6 or higher.

<4.5.13>=5.0.0 <5.4.18>=6.0.0 <6.0.15>=6.1.0 <6.1.5>=6.2.0 <6.2.6

Go back to all versions of this package