CVE-2025-62522
BaseFortify
Publication date: 2025-10-20
Last updated on: 2025-10-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vitejs | vite | 6.4.1 |
| vitejs | vite | 7.1.0 |
| vitejs | vite | 7.1.11 |
| vitejs | vite | 7.0.8 |
| vitejs | vite | 6.0.0 |
| vitejs | vite | 6.4.0 |
| vitejs | vite | 7.0.7 |
| vitejs | vite | 5.4.21 |
| vitejs | vite | 7.0.0 |
| vitejs | vite | 7.1.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Vite frontend tooling framework when running its development server on Windows and exposing it to the network. It allows an attacker to bypass file access restrictions configured via the server.fs.deny option by appending a trailing backslash (\) to the URL path. This bypass occurs because Windows file system calls ignore the trailing backslash, enabling access to files that should be blocked, such as sensitive environment files (.env) and certificates. [2]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive files, such as environment configuration files containing secrets or certificates, if you run the Vite dev server on Windows and expose it to the network. Attackers can remotely access these files without any privileges or user interaction, potentially compromising confidential information. There is no reported impact on data integrity or availability. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your Vite dev server is running on Windows and is explicitly exposed to the network (using the --host flag or server.host configuration). To test if the vulnerability is present, you can attempt to access files that should be denied by server.fs.deny by appending a trailing backslash to the URL path. For example, use the command: curl --request-target /.env\ http://localhost:5173 to see if the .env file is accessible despite deny rules. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade Vite to a patched version where this vulnerability is fixed. The patched versions are 5.4.21, 6.4.1, 7.0.8, and 7.1.11 or later. Additionally, avoid exposing the Vite dev server to the network on Windows if possible, or restrict access to trusted users only. [2]