CVE-2025-62522
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-20

Last updated on: 2025-10-21

Assigner: GitHub, Inc.

Description
Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-20
Last Modified
2025-10-21
Generated
2026-06-16
AI Q&A
2025-10-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62522
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
vitejs vite 6.4.1
vitejs vite 7.1.0
vitejs vite 7.1.11
vitejs vite 7.0.8
vitejs vite 6.0.0
vitejs vite 6.4.0
vitejs vite 7.0.7
vitejs vite 5.4.21
vitejs vite 7.0.0
vitejs vite 7.1.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Vite frontend tooling framework when running its development server on Windows and exposing it to the network. It allows an attacker to bypass file access restrictions configured via the server.fs.deny option by appending a trailing backslash (\) to the URL path. This bypass occurs because Windows file system calls ignore the trailing backslash, enabling access to files that should be blocked, such as sensitive environment files (.env) and certificates. [2]

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive files, such as environment configuration files containing secrets or certificates, if you run the Vite dev server on Windows and expose it to the network. Attackers can remotely access these files without any privileges or user interaction, potentially compromising confidential information. There is no reported impact on data integrity or availability. [2]

Detection Guidance

You can detect this vulnerability by checking if your Vite dev server is running on Windows and is explicitly exposed to the network (using the --host flag or server.host configuration). To test if the vulnerability is present, you can attempt to access files that should be denied by server.fs.deny by appending a trailing backslash to the URL path. For example, use the command: curl --request-target /.env\ http://localhost:5173 to see if the .env file is accessible despite deny rules. [2]

Mitigation Strategies

The immediate mitigation is to upgrade Vite to a patched version where this vulnerability is fixed. The patched versions are 5.4.21, 6.4.1, 7.0.8, and 7.1.11 or later. Additionally, avoid exposing the Vite dev server to the network on Windows if possible, or restrict access to trusted users only. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62522. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart