CVE-2025-24010

MEDIUM

vitejs/vite < 4.5.5, 6.0.0-6.0.9 - Origin Validation Error via CORS and WebSocket

Title source: llm
STIX 2.1

Description

Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.

References (1)

Core 1
Core References
Exploit, Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6

Scores

CVSS v3 6.5
EPSS 0.0027
EPSS Percentile 18.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-346 CWE-350 CWE-1385
Status published
Products (2)
npm/vite 6.0.0 - 6.0.9npm
vitejs/vite < 4.5.5
Published Jan 20, 2025
Tracked Since Feb 18, 2026