CVE-2025-32395: 
JavaScript vulnerability analysis and mitigation

Vite, a frontend tooling framework for JavaScript, disclosed a security vulnerability (CVE-2025-32395) on April 10, 2025. The vulnerability affects versions prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, where arbitrary file contents could be exposed to the browser when the dev server runs on Node or Bun. This vulnerability specifically impacts applications that explicitly expose the Vite dev server to the network using --host or server.host config option (GitHub Advisory, NVD).

The vulnerability stems from improper handling of HTTP request-targets containing the '#' character. According to HTTP 1.1 specification (RFC 9112), '#' is not allowed in request-targets, and such requests should be rejected with 400 or 301 status codes. However, on Node and Bun runtimes, these requests are not rejected internally and are passed to the user land, where the value of http.IncomingMessage.url contains the '#' character. Vite's assumption that req.url wouldn't contain '#' when checking server.fs.deny allowed these requests to bypass the security check. The vulnerability has been assigned a CVSS v4.0 base score of 6.0 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

When exploited, this vulnerability allows attackers to access and read arbitrary files on the system where the Vite dev server is running. This could lead to exposure of sensitive information and system files. For example, an attacker could potentially read system files like /etc/passwd through specially crafted requests (GitHub Advisory).

The vulnerability has been fixed in Vite versions 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13. The fix includes implementing proper request validation to reject requests containing '#' in the request-target with a 400 Bad Request response. Users are strongly advised to upgrade to the patched versions. No workarounds are available for this vulnerability (GitHub Advisory, Vite Commit).