Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. This vulnerability allows attackers to access arbitrary files through crafted URLs. By appending `?raw??` or `?import&raw??` to the URL, the access restriction imposed by `@fs` can be bypassed, returning the contents of files outside of the Vite serving allow list.
The vulnerability exists due to the removal of trailing separators such as `?` in several places, which are not accounted for in query string regexes. Only applications that explicitly expose the Vite dev server to the network (using `--host` or `server.host` configuration options) are affected by this issue.
Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 have been released to fix this issue. Organizations should prioritize patching immediately to mitigate potential risks.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)