Vulnerability	Vulnerable Version
M Directory Traversal vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal through the `server.fs.deny` configuration due to improper input sanitization. An attacker can bypass `server.fs.deny` with `/.` for files under project root and access sensitive files by manipulating path traversal sequences. Note: This is only exploitable if the application is explicitly exposing the Vite dev server to the network (using `--host` or server.host config option). Only files that are under project root and are denied by a file matching pattern can be bypassed. How to fix Directory Traversal? Upgrade `vite` to version 4.5.14, 5.4.19, 6.1.6, 6.2.7, 6.3.4 or higher.	<4.5.14>=5.0.0 <5.4.19>=6.0.0 <6.1.6>=6.2.0 <6.2.7>=6.3.0 <6.3.4

Directory Traversal

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Directory Traversal through the server.fs.deny configuration due to improper input sanitization. An attacker can bypass server.fs.deny with /. for files under project root and access sensitive files by manipulating path traversal sequences.

Note:

This is only exploitable if the application is explicitly exposing the Vite dev server to the network (using --host or server.host config option). Only files that are under project root and are denied by a file matching pattern can be bypassed.

How to fix Directory Traversal?

Upgrade vite to version 4.5.14, 5.4.19, 6.1.6, 6.2.7, 6.3.4 or higher.

<4.5.14>=5.0.0 <5.4.19>=6.0.0 <6.1.6>=6.2.0 <6.2.7>=6.3.0 <6.3.4

Go back to all versions of this package