CVE-2025-24010
Vite allows any websites to send any requests to the development server and read the response
In short
Vite's development server accepts requests from any website without proper security checks, allowing attackers to send commands to your local development environment and read sensitive responses. This happens because CORS protections are not enabled by default.
Technical detail
The vulnerability stems from misconfigured CORS policies and insufficient Origin header validation on WebSocket connections in Vite's development server. An attacker can exploit this via cross-site requests from any origin to perform arbitrary requests against the dev server and exfiltrate responses, affecting developers during the development phase.
Summary generated and translated by AI from the official description.
Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Affected products
vitejs · viteWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →