CVE-2025-32395 - Vite Frontend Tooling Framework Arbitrary File Disclosure Vulnerability Prior to 6.2.6, 6.1.5, 6..15, 5.4.18, and 4.5.13

Vite is a popular frontend tooling framework for JavaScript that aims to provide a fast and streamlined development experience. However, prior to versions 6.2.6, 6.1.5, 6..15, 5.4.18, and 4.5.13, the Vite development server was found to contain a vulnerability in its handling of file access, which could allow an attacker to gain unauthorized access to the contents of arbitrary files on the system running the server.

This vulnerability specifically affects applications running the Vite dev server on Node.js or Bun runtime environments that are explicitly exposed to the network using the --host command-line option or the server.host configuration option.

Exploit Details

According to the HTTP 1.1 specification (defined in RFC 9112), request-targets containing the # character are deemed invalid. However, an attacker can still send an HTTP request with such a malicious request-target.

For requests with an invalid request-line (including an invalid request-target), the HTTP 1.1 specification recommends rejecting those requests with a 400 (Bad Request) or 301 (Moved Permanently) response. The same recommendation applies to HTTP 2. Unfortunately, on Node.js and Bun runtime environments, these requests are not rejected automatically but are passed to the user land.

In Vite, it was assumed that the value of http.IncomingMessage.url would not contain a # character when checking server.fs.deny. As a result, requests containing a # character in the request-target can bypass the file access restriction, potentially exposing the contents of arbitrary files to an attacker.

An attacker could send a malicious HTTP request to the Vite development server, like this

GET /protected_file_path# HTTP/1.1
Host: target_server:target_port

Upon receiving such a request, the server will interpret the requested path as "/protected_file_path#", granting the attacker access to the file even if it is supposed to be protected.

Mitigation

This vulnerability has been fixed in Vite versions 6.2.6, 6.1.5, 6..15, 5.4.18, and 4.5.13. To ensure your application is protected from this issue, it is recommended to update the Vite package to the latest secure version by running the following command:

npm install vite@latest

It is also important to be cautious when exposing the Vite development server to the public internet or untrusted networks. Always ensure that your application is running on a secure runtime environment and that you are using the latest version of Vite with all known security patches applied.

Original References

- HTTP/1.1 Specification - RFC 9112
- Vite GitHub Repository
- Vulnerability Fixes in Vite Versions: 6.2.6, 6.1.5, 6..15, 5.4.18, 4.5.13

Conclusion

Securing web applications and development environments is of the utmost importance. By staying informed about known vulnerabilities and applying the latest updates and security patches to your tools and frameworks, you can help minimize the risk of exposing sensitive information and improve the overall security posture of your applications.

Timeline

Published on: 04/10/2025 14:15:29 UTC
Last modified on: 04/11/2025 15:39:52 UTC