CVE-2025-62522

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-62522

Severity

Unknown

Summary

vite allows server.fs.deny bypass via backslash on Windows

Description

Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.

References

https://images.chainguard.dev/security/CGA-xg52-f7mg-5hj3
https://github.com/advisories/GHSA-93m4-6634-74q7
https://images.chainguard.dev/security/CGA-w33r-62x9-vv26
https://images.chainguard.dev/security/CGA-947q-m6p4-3g23
https://images.chainguard.dev/security/CGA-p35g-g6qx-c579
https://images.chainguard.dev/security/CGA-j65f-8rfc-wxm6
https://images.chainguard.dev/security/CGA-vfv4-j9gj-wc8q
https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7
https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2025-62522

Severity

Summary

Description

References

Affected packages

Product

Solutions

Customers

Resources

Company