CVE-2025-46565
Information Disclosure vulnerability in vite (npm)
What is CVE-2025-46565 About?
This vulnerability in Vite allows files denied by `server.fs.deny` matching patterns to be returned to the browser through a URL validation bypass. An attacker can access sensitive files within the project root by crafting a specific URL. Exploitation is of low complexity when the dev server is exposed.
Affected Software
- vite
- >5.0.0, <5.4.19
- >6.2.0, <6.2.7
- >6.0.0, <6.1.6
- >6.3.0, <6.3.4
- <4.5.14
Technical Details
The vulnerability arises from an improper implementation of file matching patterns within Vite's server.fs.deny configuration, designed to prevent access to sensitive files. Attackers can bypass these denial rules for files located under the project root directory by crafting URLs that use a combination of a slash and a dot (e.g., /.). This specific URL construction allows the Vite dev server to incorrectly resolve the path, thereby bypassing the intended file access restrictions and exposing the contents of files (like .env or *.pem) that should otherwise be denied. The issue is present if the Vite dev server is explicitly exposed to the network.
What is the Impact of CVE-2025-46565?
Successful exploitation may allow attackers to access sensitive information, potentially leading to unauthorized disclosure of configuration files, credentials, or other confidential data.
What is the Exploitability of CVE-2025-46565?
Exploitation complexity is low, provided the Vite dev server is exposed to the network explicitly via --host or server.host configuration. No authentication or specific privileges are required, as the attack is against the server's file serving logic. This is a remote vulnerability, triggered by a specially crafted HTTP request to the dev server. The key prerequisite is the server being network-accessible. Special conditions include the target file being under the project root and matched by a server.fs.deny pattern. The likelihood of exploitation is higher in development environments where Vite dev servers might be inadvertently exposed to untrusted networks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-46565?
Available Upgrade Options
- vite
- <4.5.14 → Upgrade to 4.5.14
- vite
- >5.0.0, <5.4.19 → Upgrade to 5.4.19
- vite
- >6.0.0, <6.1.6 → Upgrade to 6.1.6
- vite
- >6.2.0, <6.2.7 → Upgrade to 6.2.7
- vite
- >6.3.0, <6.3.4 → Upgrade to 6.3.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3
- https://nvd.nist.gov/vuln/detail/CVE-2025-46565
- https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb
- https://osv.dev/vulnerability/GHSA-859w-5945-r5v3
- https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3
- https://github.com/vitejs/vite
- https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb
What are Similar Vulnerabilities to CVE-2025-46565?
Similar Vulnerabilities: CVE-2023-45803 , CVE-2022-24348 , CVE-2021-23382 , CVE-2020-15177 , CVE-2019-14283
