Main Vulnerability Database Vulnerabilities #VU125307

Improper access control in Vite - CVE-2025-32395

Published: April 10, 2025 / Updated: May 22, 2026

Vulnerability identifier: #VU125307

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2025-32395

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Vite

Affected software:
Vite

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the server.fs.deny check when handling an invalid request-target containing a # character. A remote attacker can send a specially crafted request to disclose sensitive information.

Only instances that explicitly expose the dev server to the network and run on Node or Bun are vulnerable. User interaction is required.

How to mitigate CVE-2025-32395

Install security update from vendor's website.

Sources

https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4

Improper access control in Vite - CVE-2025-32395

Detailed vulnerability description

How to mitigate CVE-2025-32395

Sources

Please verify you're human