Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| vite(npm) | 6.2.0 | 6.2.4 | N/A |
| vite(npm) | 6.1.0 | 6.1.3 | N/A |
| vite(npm) | 6.0.0 | 6.0.13 | N/A |
| vite(npm) | 5.0.0 | 5.4.16 | N/A |
| vite(npm) | 0 | 4.5.11 | N/A |
CVSS Metrics
