Vite Support & Health

GHSA-353f-5xf4-qw67 CVSS_V3

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

Published: 2023-06-06 Fixed in: 2.9.16

GHSA-356w-63v5-8wf4 CVSS_V4

Vite has an `server.fs.deny` bypass with an invalid `request-target`

Published: 2025-04-11 Fixed in: 6.2.6

GHSA-4r4m-qw57-chr8 CVSS_V3

Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Published: 2025-03-31 Fixed in: 6.2.4

GHSA-4w7w-66w2-5vf9 CVSS_V4

Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling

Published: 2026-04-06 Fixed in: 8.0.5

GHSA-64vr-g452-qvp3 CVSS_V3

Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Published: 2024-09-17 Fixed in: 5.4.6

GHSA-859w-5945-r5v3 CVSS_V4

Vite's server.fs.deny bypassed with /. for files under project root

Published: 2025-04-30 Fixed in: 6.3.4

GHSA-8jhw-289h-jh2g CVSS_V3

Vite's `server.fs.deny` did not deny requests for patterns with directories.

Published: 2024-04-03 Fixed in: 2.9.18

GHSA-92r3-m2mg-pj97 CVSS_V3

Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

Published: 2023-12-05 Fixed in: 4.4.12

GHSA-93m4-6634-74q7 CVSS_V4

vite allows server.fs.deny bypass via backslash on Windows

Published: 2025-10-20 Fixed in: 7.1.11

GHSA-9cwx-2883-4wfx CVSS_V3

Vite's `server.fs.deny` is bypassed when using `?import&raw`

Published: 2024-09-17 Fixed in: 5.4.6

Vite