CVE-2025-24010

MEDIUM

Vite <6.0.9, 5.4.12, 4.5.6 - SSRF

Title source: llm

Description

Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.

References (1)

[Exploit, Mitigation, Third Party Advisory] https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6

Scores

CVSS v3 6.5

EPSS 0.0009

EPSS Percentile 25.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-346 CWE-350 CWE-1385

Status published

Products (2)

npm/vite 6.0.0 - 6.0.9npm

vitejs/vite < 4.5.5

Published Jan 20, 2025

Tracked Since Feb 18, 2026