Bug 2363544 (CVE-2025-46565)
| Summary: | CVE-2025-46565 vite: Path Traversal in Vite Dev Server Allows Access to Restricted Files | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | asoldano, bbaranow, bmaxwell, brian.stansberry, brking, cdewolf, darran.lofthouse, davidn, dkreling, dosoudil, fjuma, haoli, hkataria, istudens, ivassile, iweiss, jajackso, jcammara, jmitchel, jneedle, kegrant, koliveir, kshier, lgao, mabashia, mosmerov, msochure, msvehla, nwallace, pbraun, pesilva, pjindal, pmackay, rstancel, shvarugh, simaishi, smaestri, smcdonal, stcannon, teagle, tfister, thavo, tom.jenkinson, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Vite. This vulnerability allows unauthorized access to denied files in the project root through crafted path traversal sequences when the server is explicitly exposed to the network. These specially crafted sequences could bypass intended access controls, allowing an attacker to read files that should otherwise be protected.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.