Vulnerability Description
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vitejs | Vite | < 4.5.14 |
Related Weaknesses (CWE)
References
- https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacbPatch
- https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3ExploitVendor Advisory
- https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3ExploitVendor Advisory
FAQ
What is CVE-2025-46565?
CVE-2025-46565 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can...
How severe is CVE-2025-46565?
CVE-2025-46565 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-46565?
Check the references section above for vendor advisories and patch information. Affected products include: Vitejs Vite.