CVE-2025-24010 - How Vite’s CORS Misconfig Exposed Developers to Data Leaks

Summary:
Vite, a popular frontend tool for JavaScript, had a major vulnerability (CVE-2025-24010), letting any website send requests to Vite’s dev server and read the responses. This happened because the default CORS settings were too relaxed, and there was no validation of the Origin header, even for WebSocket connections. The bug is fixed in Vite versions 6..9, 5.4.12, and 4.5.6.

What is Vite?

If you make websites with modern JavaScript, you’ve likely bumped into Vite. It’s a fast build tool and development server, making local development super smooth.

Normally you run Vite locally, then it exposes a localhost server (like http://localhost:5173), where you see your app as you develop it.

What Went Wrong? (CVE-2025-24010 Explained)

The problem was that Vite’s dev server had very relaxed Cross-Origin Resource Sharing (CORS) rules. In plain English: it would allow any website, including malicious ones, to send requests and even upgrade to a WebSocket connection. Worse, the response could be read by that website.

Let’s break it down

- CORS is what keeps websites on different domains from snooping on each other or sending unwanted requests.

This means a malicious website could

- Send fetch/XHR requests to your local Vite dev server.

Attacker convinces the victim to visit a website in the same web browser.

3. The attacker’s website JavaScript sends requests to http://localhost:5173/ (where Vite is running).
4. The attacker’s site reads private files, exposed environment variables, or even live hot-reload code sent from Vite.

Here’s the sketch of Vite’s broken logic (code ref)

// Simplified example
app.use((req, res, next) => {
  // No validation on the Origin header
  res.setHeader('Access-Control-Allow-Origin', '*');
  next();
});

Even if you used WebSockets, there was no check

// Pseudo-code for WebSocket upgrade
if (req.headers.upgrade === 'websocket') {
  // No validation on req.headers.origin!
  handleWebSocket(req, socket);
}

Real Exploit: How a Hacker Could Use This

Let’s say you have .env files or API data that’s only available via the Vite dev server.

A malicious site could run this code in your browser

fetch('http://localhost:5173/api/secret')
  .then(res => res.text())
  .then(console.log);

Or to read hot-reloading code over WebSockets

const ws = new WebSocket('ws://localhost:5173/');
ws.onmessage = (event) => {
  // Dump hot-module reload info or internal app data!
  console.log(event.data);
};

v4.5.6

…you were at risk, especially if you did web browsing at the same time.

The dev server only accepts requests from trusted origins and from localhost

- Read the full patch diff

Upgrade to 6..9, 5.4.12, or 4.5.6 and above asap!

npm install vite@latest
# or pick the latest patch for your major version

References

- Vite Security Advisory for CVE-2025-24010
- Vite Pull Request: Fix CORS and Origin Validation (#17714)
- CVE Record for CVE-2025-24010

Closing

CVE-2025-24010 teaches us an important lesson:
Even local development tools need strong security! Don’t assume “localhost means safe.” Always keep your dev tools updated and don’t trust any site you visit while coding.

If you want to dig deeper into dev server security, read the OWASP CORS guidelines.

Timeline

Published on: 01/20/2025 16:15:28 UTC