SB2024091788 - Multiple vulnerabilities in Vite

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2025-24010)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the development server when handling cross-origin requests. A remote attacker can send a specially crafted request from a malicious website to disclose sensitive information.

User interaction is required to visit a malicious website.

2) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2024-45812)

The vulnerability allows a remote user to execute arbitrary script code in the victim's browser.

The vulnerability exists due to improper control of dynamically resolved script URLs via DOM clobbering in vite bundled scripts when processing attacker-controlled scriptless HTML elements on a page that uses cjs, iife, or umd build output and dynamically imports scripts from the assets folder. A remote user can inject a crafted HTML element that shadows document.currentScript to execute arbitrary script code in the victim's browser.

The issue arises because the document.currentScript lookup can be shadowed through the browser's named DOM tree element access mechanism, causing an attacker-controlled element src value to be used for dynamic script loading.

3) Improper access control (CVE-ID: CVE-2024-45811)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the @fs file serving mechanism when handling requests with the ?import&raw query parameter. A remote attacker can send a specially crafted request to disclose sensitive information.

User interaction is required.

4) Improper access control (CVE-ID: CVE-2025-32395)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the server.fs.deny check when handling an invalid request-target containing a # character. A remote attacker can send a specially crafted request to disclose sensitive information.

Only instances that explicitly expose the dev server to the network and run on Node or Bun are vulnerable. User interaction is required.

5) Improper Handling of Case Sensitivity (CVE-ID: CVE-2024-23331)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the Vite dev server file access restriction for server.fs.deny when handling raw filesystem path requests on case-insensitive filesystems. A remote attacker can send a specially crafted request using case-augmented filenames to disclose sensitive information.

This issue affects exposed dev servers hosted on case-insensitive filesystems, notably Windows.

6) Path equivalence issue (CVE-ID: CVE-2023-34092)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the Vite dev server file access restriction handling when processing requests containing a double forward-slash path. A remote attacker can send a specially crafted request to disclose sensitive information.

Only instances explicitly exposed to the network are affected, and only files in the immediate Vite project root folder could be exposed.

Remediation

Install update from vendor's website.

References

• https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6
• https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3
• https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx
• https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4
• https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw
• https://github.com/advisories/GHSA-c24v-8rfc-w8vw
• https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67