Description
Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Attack Vector
- network
- Complexity
- low
- Privileges
- none
- User Action
- required
- Scope
- unchanged
- Confidentiality
- high
- Integrity
- none
- Availability
- none
- Weaknesses
- CWE-346CWE-350CWE-1385
Metadata
- Primary Vendor
- VITEJS
- Published
- 1/20/2025
- Last Modified
- 9/19/2025
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
vitejs : vitevitejs : vitevitejs : vite
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.