CVE-2025-24010: 
JavaScript vulnerability analysis and mitigation

Vite, a frontend tooling framework for JavaScript, was found to contain a security vulnerability (CVE-2025-24010) that allowed any websites to send requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. The vulnerability was discovered on January 20, 2025, affecting versions up to 6.0.8, 5.4.11, and 4.5.5. This issue has been fixed in versions 6.0.9, 5.4.12, and 4.5.6 (GitHub Advisory).

The vulnerability received a CVSS v3.1 score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The issue stemmed from three main causes: permissive default CORS settings that set Access-Control-Allow-Origin: *, lack of validation on the Origin header for WebSocket connections making it vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks, and insufficient validation of the Host header for HTTP requests (GitHub Advisory).

The vulnerability could allow malicious websites to steal source code, access unauthorized functionalities, and intercept sensitive information. For WebSocket connections, attackers could obtain file paths of changed files and file content where errors occurred. The impact was particularly significant for users running the Vite dev server locally, even without exposing it to the network (GitHub Advisory).

For users unable to upgrade, mitigation steps include setting server.cors to false or limiting server.cors.origin to trusted origins. Users of the backend integration feature need to add the origin of the backend server to the server.cors.origin option. Those using reverse proxies or accessing the development server via non-localhost domains must add the hostname to the server.allowedHosts option. For WebSocket-related issues, users can set legacy.skipWebSocketTokenCheck: true, though this should be done with caution (GitHub Advisory).