CVE-2025-46565
📋 TL;DR
This vulnerability in Vite allows attackers to bypass file access restrictions and read sensitive files from the project root directory. Only affects Vite development servers explicitly exposed to the network using --host or server.host configuration. Attackers can access files like .env, certificates, and other sensitive files that should be denied by server.fs.deny patterns.
💻 Affected Systems
- Vite
📦 What is this software?
Vite by Vitejs
Vite by Vitejs
Vite by Vitejs
Vite by Vitejs
Vite by Vitejs
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal sensitive credentials, API keys, certificates, or proprietary source code from development environments, leading to further system compromise.
Likely Case
Development environment credentials and configuration files are exposed, potentially allowing attackers to pivot to production systems or steal intellectual property.
If Mitigated
No impact if Vite dev server is not network-exposed or proper network segmentation is in place.
🎯 Exploit Status
Exploitation requires network access to exposed Vite dev server and knowledge of file paths. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.3.4, 6.2.7, 6.1.6, 5.4.19, or 4.5.14
Vendor Advisory: https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3
Restart Required: Yes
Instructions:
1. Update Vite to patched version: npm update vite@latest or specify exact version. 2. Restart development server. 3. Verify version with vite --version.
🔧 Temporary Workarounds
Disable network exposure
allRemove --host flag or server.host configuration to prevent network access to Vite dev server
Remove '--host' from dev script
Remove or set 'server.host: false' in vite.config.js
Network segmentation
linuxRestrict network access to Vite dev server using firewall rules
iptables -A INPUT -p tcp --dport 5173 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 5173 -j DROP
🧯 If You Can't Patch
- Do not expose Vite dev server to network (remove --host flag)
- Implement strict firewall rules to restrict access to Vite dev server port (default 5173)
🔍 How to Verify
Check if Vulnerable:
Check if Vite version is below patched versions and dev server is exposed with --host or server.host configCheck Version:
vite --version or check package.json for vite versionVerify Fix Applied:
Verify Vite version is 6.3.4, 6.2.7, 6.1.6, 5.4.19, or 4.5.14 using vite --version📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in Vite dev server logs
- Requests containing '/.' in URL path
Network Indicators:
- External requests to Vite dev server port (default 5173)
- Requests attempting to access .env, .crt, .pem files
SIEM Query:
source="vite" AND (url="*/.env*" OR url="*/.crt*" OR url="*/.pem*")