CVE-2025-46565: 
JavaScript vulnerability analysis and mitigation

Vite, a frontend tooling framework for JavaScript, was found to have a path traversal vulnerability (CVE-2025-46565) discovered and disclosed on May 1, 2025. The vulnerability affects versions prior to 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, allowing unauthorized access to denied files in the project root through path traversal (GitHub Advisory, NVD).

The vulnerability exists in the server.fs.deny configuration which contains patterns for matching against files (by default including .env, .env., .{crt,pem}). These patterns could be bypassed for files under the project root by using a combination of slash and dot (/.). The vulnerability has received a CVSS v4.0 base score of 6.0 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability only affects applications that explicitly expose the Vite dev server to the network (using --host or server.host config option). When successfully exploited, attackers can access files that are under the project root and are denied by file matching patterns, potentially exposing sensitive information like environment variables and certificate files (GitHub Advisory).

The vulnerability has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14. Users are advised to upgrade to these versions or later to mitigate the vulnerability (NVD, GitHub Advisory).