vite 8.0.4 | Snyk

Direct Vulnerabilities

Known vulnerabilities in the vite package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Incorrect Behavior Order: Validate Before Canonicalize vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize through the `server.fs.deny` component. An attacker can access sensitive files by appending specific query parameters such as `?raw`, `?import&raw`, or `?import&url&inline` to HTTP requests. Note: This is only exploitable if the development server is explicitly exposed to the network, the sensitive file exists within directories allowed by `server.fs.allow`, and the file is denied by a pattern in `server.fs.deny`. How to fix Incorrect Behavior Order: Validate Before Canonicalize? Upgrade `vite` to version 7.3.2, 8.0.5 or higher.	>=7.1.0 <7.3.2>=8.0.0 <8.0.5
H Missing Authentication for Critical Function vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the `fetchModule` method exposed through the WebSocket interface when the server is explicitly exposed to the network and WebSocket is enabled. An attacker can access arbitrary files on the server by connecting to the WebSocket without an `Origin` header and invoking `fetchModule` with a crafted file URL, thereby retrieving sensitive file contents as JavaScript modules. Note: This is only exploitable if the development server is started with network exposure (such as using `--host` or the `server.host` configuration) and WebSocket is not disabled. How to fix Missing Authentication for Critical Function? Upgrade `vite` to version 6.4.2, 7.3.2, 8.0.5 or higher.	>=6.0.0 <6.4.2>=7.0.0 <7.3.2>=8.0.0 <8.0.5
M Directory Traversal vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal via the handling of `.map` files in the dev server when resolving file paths. An attacker can access sensitive files outside the project root by injecting `../` segments into the URL, provided the files are valid source map JSON and the server is explicitly exposed to the network with predictable `.map` file paths. Note: This is only exploitable if the dev server is started with the `--host` flag or the `server.host` configuration option, and sensitive content exists in predictable `.map` files. How to fix Directory Traversal? Upgrade `vite` to version 6.4.2, 7.3.2, 8.0.5 or higher.	<6.4.2>7.0.0 <7.3.2>8.0.0 <8.0.5

Vulnerability

Vulnerable Version

Incorrect Behavior Order: Validate Before Canonicalize

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize through the server.fs.deny component. An attacker can access sensitive files by appending specific query parameters such as ?raw, ?import&raw, or ?import&url&inline to HTTP requests.

Note:

This is only exploitable if the development server is explicitly exposed to the network, the sensitive file exists within directories allowed by server.fs.allow, and the file is denied by a pattern in server.fs.deny.

How to fix Incorrect Behavior Order: Validate Before Canonicalize?

Upgrade vite to version 7.3.2, 8.0.5 or higher.

>=7.1.0 <7.3.2>=8.0.0 <8.0.5

Missing Authentication for Critical Function

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the fetchModule method exposed through the WebSocket interface when the server is explicitly exposed to the network and WebSocket is enabled. An attacker can access arbitrary files on the server by connecting to the WebSocket without an Origin header and invoking fetchModule with a crafted file URL, thereby retrieving sensitive file contents as JavaScript modules.

Note:

This is only exploitable if the development server is started with network exposure (such as using --host or the server.host configuration) and WebSocket is not disabled.

How to fix Missing Authentication for Critical Function?

Upgrade vite to version 6.4.2, 7.3.2, 8.0.5 or higher.

>=6.0.0 <6.4.2>=7.0.0 <7.3.2>=8.0.0 <8.0.5

Directory Traversal

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Directory Traversal via the handling of .map files in the dev server when resolving file paths. An attacker can access sensitive files outside the project root by injecting ../ segments into the URL, provided the files are valid source map JSON and the server is explicitly exposed to the network with predictable .map file paths.

Note:

This is only exploitable if the dev server is started with the --host flag or the server.host configuration option, and sensitive content exists in predictable .map files.

How to fix Directory Traversal?

Upgrade vite to version 6.4.2, 7.3.2, 8.0.5 or higher.

<6.4.2>7.0.0 <7.3.2>8.0.0 <8.0.5

vite@8.0.4

Native-ESM powered web dev build tool

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically