Description
Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx
Patch x_refsource_misc
https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34
Scores
CVSS v3
4.8
EPSS
0.0001
EPSS Percentile
3.1%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
CWE-284
Status
published
Products (6)
npm/vite
5.4.0 - 5.4.6npm
vitejs/vite
< 3.2.11
vitejs/vite
>= 4.0.0, < 4.5.5
vitejs/vite
>= 5.0.0, < 5.2.14
vitejs/vite
>= 5.3.0, < 5.3.6
vitejs/vite
>= 5.4.0, < 5.4.6
Published
Sep 17, 2024
Tracked Since
Feb 18, 2026