CVE-2025-62522: 
JavaScript vulnerability analysis and mitigation

CVE-2025-62522 affects Vite, a frontend tooling framework for JavaScript. The vulnerability was discovered and disclosed on October 20, 2025, affecting multiple versions from 2.9.18 to 7.1.10. The issue allows files denied by server.fs.deny to be accessed if the URL ends with a backslash () when the dev server is running on Windows (GitHub Advisory).

The vulnerability stems from an improper path handling mechanism in the isFileLoadingAllowed function. When a URL request ends with a backslash, the server.fs.deny patterns could be bypassed because fs.readFile('/foo.png/') would attempt to load /foo.png, effectively ignoring the trailing slash during the security check. The vulnerability has been assigned a CVSS v4.0 score of 6.0 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N (GitHub Advisory, NVD).

The vulnerability only affects applications that explicitly expose the Vite dev server to the network (using --host or server.host config option) and are running on Windows. When exploited, it allows attackers to bypass the server.fs.deny security control and access sensitive files that should be restricted, such as .env files, .env., and .{crt,pem} patterns (GitHub Advisory).

The vulnerability has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11. Users are advised to upgrade to these or later versions. The fix involves trimming trailing slashes from file paths before performing the server.fs.deny security check (GitHub Advisory, GitHub Commit).