CVE-2025-62522: 
JavaScript vulnerability analysis and mitigation

Vite, a frontend tooling framework for JavaScript, contains a vulnerability (CVE-2025-62522) where files denied by server.fs.deny could be accessed if the URL ended with a backslash () when the dev server is running on Windows. This vulnerability affects multiple versions including 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11. The issue was discovered and disclosed on October 20, 2025 (NVD, GitHub Advisory).

The vulnerability stems from a path traversal issue where the server.fs.deny configuration could be bypassed using a backslash character at the end of URLs. The root cause was identified as fs.readFile('/foo.png/') being able to load /foo.png. The vulnerability has been assigned a CVSS v4.0 Base Score of 6.0 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD, GitHub Advisory).

The vulnerability allows attackers to access files that should be denied by the server.fs.deny configuration. This particularly affects sensitive files like .env, .env., and .{crt,pem} which are protected by default. The impact is limited to applications that explicitly expose the Vite dev server to the network and are running on Windows systems (GitHub Advisory).

The vulnerability has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11. Users are advised to upgrade to these versions or later to address the security issue. If immediate upgrade is not possible, users should avoid exposing the Vite dev server to the network when running on Windows systems (GitHub Advisory).