OsVault/npm/vite

npm

vite

135 known vulnerabilities · 0 critical · 1 high

GHSA-4w7w-66w2-5vf9

Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling

Published Apr 6, 2026

CVE-2025-24010

Websites were able to send any requests to the development server and read the response in vite

Published Jan 21, 2025

CVE-2023-49293MEDIUM

Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

Published Dec 5, 2023

CVE-2025-32395

Vite has an `server.fs.deny` bypass with an invalid `request-target`

Published Apr 11, 2025

CVE-2025-62522

vite allows server.fs.deny bypass via backslash on Windows

Published Oct 20, 2025

CVE-2024-45811MEDIUM

Vite's `server.fs.deny` is bypassed when using `?import&raw`

Published Sep 17, 2024

CVE-2025-46565

Vite's server.fs.deny bypassed with /. for files under project root

Published Apr 30, 2025

CVE-2025-31486

Vite allows server.fs.deny to be bypassed with .svg or relative paths

Published Apr 4, 2025

CVE-2025-58751

Vite middleware may serve files starting with the same name with the public directory

Published Sep 9, 2025

CVE-2024-31207MEDIUM

Vite's `server.fs.deny` did not deny requests for patterns with directories.

Published Apr 3, 2024

CVE-2025-31125

Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Published Mar 31, 2025

CVE-2025-30208

Vite bypasses server.fs.deny when using ?raw??

Published Mar 25, 2025

GHSA-fx2h-pf6j-xcff

vite: `server.fs.deny` bypass on Windows alternate paths

Published Jun 15, 2026

GHSA-v6wh-96g9-6wx3

launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows

Published Jun 15, 2026

CVE-2024-45812MEDIUM

Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Published Sep 17, 2024

CVE-2024-23331HIGH

Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Published Jan 19, 2024

CVE-2025-58752

Vite's `server.fs` settings were not applied to HTML files

Published Sep 9, 2025

GHSA-c27g-q93r-2cwf

launch-editor vulnerable to command injection via the crafted request on Windows

Published Jun 3, 2026

GHSA-v2wj-q39q-566r

Vite: `server.fs.deny` bypassed with queries

Published Apr 6, 2026

CVE-2026-39363

Risk: 44.23/100

Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket

Published Apr 6, 2026

MAL-2025-4905

Malicious code in vite-plugin-svgn (npm)

Published Jun 10, 2025

MAL-2025-4904

Malicious code in vite-plugin-purify (npm)

Published Jun 10, 2025

MAL-2025-48308

Malicious code in vite-plugin-es6-babel (npm)

Published Oct 10, 2025

MAL-2025-2372

Malicious code in dev-debugger-vite (npm)

Published Mar 14, 2025

MAL-2025-3203

Malicious code in vite-plugin-monorepo (npm)

Published Apr 9, 2025

MAL-2026-5708

Malicious code in vite-svgr (npm)

Published Jun 12, 2026

MAL-2026-5713

Malicious code in vite-plugin-compress-js (npm)

Published Jun 12, 2026

MAL-2026-5714

Malicious code in vite-plugin-logo (npm)

Published Jun 12, 2026

MAL-2025-4408

Malicious code in template-vite (npm)

Published May 23, 2025

GHSA-33r3-4whc-44c2

Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME

Published Apr 16, 2026

MAL-2025-191474

Malicious code in vite-dynachunk (npm)

Published Nov 26, 2025

GHSA-v457-wxvj-p9w9

@vitejs/plugin-rsc has a Denial of Service with React Server Components

Published Apr 10, 2026

MAL-2025-4775

Malicious code in vite-plugin-esm-federation (npm)

Published Jun 10, 2025

MAL-2025-1561

Malicious code in vite_ruby_monorepo (npm)

Published Feb 28, 2025

MAL-2025-48268

Malicious code in vite-configs-viewer (npm)

Published Oct 9, 2025

MAL-2025-48269

Malicious code in vite-next-loggers (npm)

Published Oct 9, 2025

MAL-2025-190787

Malicious code in vite-plugin-httpfile (npm)

Published Nov 24, 2025

MAL-2025-48599

Malicious code in vite-compiler-tools (npm)

Published Oct 24, 2025

MAL-2025-49372

Malicious code in vite-smart-chunk (npm)

Published Nov 5, 2025

MAL-2025-41613

Malicious code in vite-binding-js (npm)

Published Aug 28, 2025

MAL-2026-2913

Malicious code in vite-plugin-compress-plus (npm)

Published Apr 16, 2026

GHSA-c6m7-q6pr-c64r

Vite Plugin React has a Source Code Exposure Vulnerability in React Server Components

Published Dec 12, 2025

GHSA-cpqf-f22c-r95x

Vite Plugin React has a Denial of Service Vulnerability in React Server Components

Published Dec 12, 2025

MAL-2025-48426

Malicious code in vite-plugin-parseflow (npm)

Published Oct 15, 2025

MAL-2025-66552

Malicious code in vite-plugin-postcss-tools (npm)

Published Nov 11, 2025

CVE-2025-68155

@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint

Published Dec 16, 2025

MAL-2025-48884

Malicious code in vite-chunk-tools (npm)

Published Oct 23, 2025

MAL-2026-747

Malicious code in react-vite-sync (npm)

Published Feb 4, 2026

MAL-2025-4517

Malicious code in vite-config-pretty-js (npm)

Published May 27, 2025

MAL-2025-4519

Malicious code in vite-tsconfig-pretty (npm)

Published May 27, 2025

MAL-2025-4604

Malicious code in vite-plugin-svgr-logger (npm)

Published May 30, 2025

MAL-2025-38508

Malicious code in vite-css-icon (npm)

Published Aug 14, 2025

MAL-2025-191486

Malicious code in vitest-environment-jsdom-patched (npm)

Published Nov 29, 2025

MAL-2025-4534

Malicious code in vite-jsconfig-log (npm)

Published May 28, 2025

MAL-2026-5232

Malicious code in autotel-vitest (npm)

Published Jun 5, 2026

MAL-2026-5249

Malicious code in eslint-plugin-executable-stories-vitest (npm)

Published Jun 5, 2026

MAL-2026-5258

Malicious code in executable-stories-vitest (npm)

Published Jun 5, 2026

MAL-2026-5266

Malicious code in node-env-resolver-vite (npm)

Published Jun 5, 2026

MAL-2025-47107

Malicious code in vite-plugin-uni-i18n (npm)

Published Sep 12, 2025

MAL-2026-669

Malicious code in vite-ui-components (npm)

Published Feb 3, 2026

MAL-2025-4453

Malicious code in vite-plugin-esm-import-extension (npm)

Published May 26, 2025

MAL-2025-4551

Malicious code in aspirejavascript-vite (npm)

Published May 26, 2025

MAL-2025-5735

Malicious code in vite-plugin-enhance (npm)

Published Jul 8, 2025

MAL-2025-5262

Malicious code in vite-loader-svg (npm)

Published Jun 25, 2025

MAL-2025-48915

Malicious code in vite-plugin-es6-compat (npm)

Published Oct 28, 2025

MAL-2025-5967

Malicious code in vite-postcss-tools (npm)

Published Jul 15, 2025

MAL-2025-48784

Malicious code in vite-plugin-parsify (npm)

Published Oct 27, 2025

MAL-2025-5171

Malicious code in vite-logify (npm)

Published Jun 18, 2025

MAL-2025-6346

Malicious code in vite-postcss-bootstrap (npm)

Published Jul 29, 2025

MAL-2026-1114

Malicious code in vitetest-lint (npm)

Published Mar 2, 2026

MAL-2025-48914

Malicious code in vite-manual-chunker (npm)

Published Oct 28, 2025

MAL-2025-48885

Malicious code in vite-react-chunker (npm)

Published Oct 23, 2025

MAL-2025-6379

Malicious code in vite-postcss-nested (npm)

Published Jul 30, 2025

MAL-2025-190741

Malicious code in @ensdomains/vite-plugin-i18next-loader (npm)

Published Nov 24, 2025

MAL-2025-5170

Malicious code in vite-logging-tool (npm)

Published Jun 18, 2025

MAL-2026-1487

Malicious code in vitest-config (npm)

Published Mar 16, 2026

MAL-2025-48309

Malicious code in vite-plugin-parse (npm)

Published Oct 10, 2025

MAL-2026-4333

Malicious code in vite-plugin-env-compat-1.5 (npm)

Published May 25, 2026

MAL-2026-4334

Malicious code in vite-plugin-env-compat-plus (npm)

Published May 25, 2026

MAL-2026-1513

Malicious code in vitest-globals (npm)

Published Mar 16, 2026

MAL-2026-2736

Malicious code in buildkite-test-collector-vitest-example (npm)

Published Apr 16, 2026

MAL-2026-3464

Malicious code in @tanstack/nitro-v2-vite-plugin (npm)

Published May 11, 2026

MAL-2026-3480

Malicious code in @tanstack/router-vite-plugin (npm)

Published May 12, 2026

MAL-2025-3799

Malicious code in test-vite-favicons-inject (npm)

Published May 14, 2025

MAL-2026-4451

Malicious code in @tailwind-core/vite (npm)

Published May 19, 2026

MAL-2025-48310

Malicious code in vite-plugin-vue-layout (npm)

Published Oct 10, 2025

MAL-2025-4454

Malicious code in vite-plugin-legacy-umd (npm)

Published May 26, 2025

MAL-2026-4514

Malicious code in chai-as-vite (npm)

Published May 21, 2026

GHSA-g8mr-85jm-7xhm

Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE

Published Jun 15, 2026

MAL-2026-4705

Malicious code in vite-json-config (npm)

Published May 20, 2026

MAL-2026-4706

Malicious code in vite-plugin-css-blend (npm)

Published May 24, 2026

MAL-2026-5849

Malicious code in vite-configu-react (npm)

Published Jun 15, 2026

MAL-2026-5850

Malicious code in vite-enhancer-config (npm)

Published Jun 15, 2026

MAL-2022-5673

Malicious code in react-server-dom-vite (npm)

Published Sep 5, 2022

MAL-2026-5862

Malicious code in vitest-pro (npm)

Published Jun 16, 2026

MAL-2025-3591

Malicious code in vite-plugin-tools (npm)

Published May 2, 2025

MAL-2025-191383

Malicious code in @voiceflow/vite-config (npm)

Published Nov 25, 2025

MAL-2026-1338

Malicious code in vite-chunker (npm)

Published Mar 11, 2026

MAL-2025-4518

Malicious code in vite-plugin-style-svg (npm)

Published May 27, 2025

MAL-2024-10875

Malicious code in vite-plugin-unus-api-register (npm)

Published Nov 21, 2024

MAL-2025-4289

Malicious code in vite-tsconsole-log (npm)

Published May 22, 2025

GHSA-2h32-95rg-cppp

Vitest browser mode serves unsanitized otelCarrier query parameter as inline script

Published Jun 1, 2026

MAL-2025-47106

Malicious code in vite-plugin-morgan (npm)

Published Sep 12, 2025

GHSA-5xrq-8626-4rwp

When Vitest UI server is listening, arbitrary file can be read and executed

Published Jun 1, 2026

CVE-2026-29066

TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction

Published Mar 12, 2026

GHSA-534h-c3cw-v3h9

Nuxt dev server vite-node IPC socket is world-connectable on Linux

Published Jun 16, 2026

MAL-2025-47923

Malicious code in dragon0905-vite-tsconfig-assistant (npm)

Published Oct 7, 2025

MAL-2025-47934

Malicious code in vite-tsconfig-assistant (npm)

Published Oct 7, 2025

MAL-2025-48017

Malicious code in vite-plugin-opticompress (npm)

Published Oct 8, 2025

MAL-2025-47741

Malicious code in vite-linting-js (npm)

Published Sep 26, 2025

MAL-2025-47870

Malicious code in vite-plugin-parse-js (npm)

Published Oct 1, 2025

GHSA-w94c-4vhp-22gx

@vitejs/plugin-rsc has a Denial of Service Vulnerability in React Server Components

Published May 11, 2026

MAL-2025-192884

Malicious code in vite-react-setting (npm)

Published Dec 23, 2025

MAL-2026-918

Malicious code in webpack-vite (npm)

Published Feb 16, 2026

MAL-2025-47933

Malicious code in vite-plugin-chunk-chop (npm)

Published Oct 7, 2025

MAL-2025-48322

Malicious code in vite-babel-plugin-es6-promise (npm)

Published Oct 12, 2025

MAL-2025-3800

Malicious code in vite-logging-patcher (npm)

Published May 14, 2025

MAL-2025-3653

Malicious code in vite-plugin-node-modules-polyfills (npm)

Published May 6, 2025

MAL-2025-3654

Malicious code in vite-plugin-remove (npm)

Published May 6, 2025

MAL-2026-5936

Malicious code in vite-config-field (npm)

Published Jun 16, 2026

MAL-2025-4634

Malicious code in vite-logging-patchers (npm)

Published Jun 2, 2025

MAL-2025-47489

Malicious code in node-vite-config (npm)

Published Sep 22, 2025

MAL-2025-47507

Malicious code in vite-jsconfig (npm)

Published Sep 22, 2025

MAL-2025-5209

Malicious code in vite-auditlog (npm)

Published Jun 20, 2025

GHSA-chqv-vrj7-qffp

NocoDB: Shared-base link access can invite arbitrary users as persistent base members

Published May 21, 2026

CVE-2025-67489

@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server

Published Dec 8, 2025

MAL-2026-5576

Malicious code in vite-tsconfig (npm)

Published Jun 11, 2026

MAL-2026-5933

Malicious code in react-vite-assert (npm)

Published Jun 16, 2026

MAL-2026-5701

Malicious code in vite-react-toolkit (npm)

Published Jun 12, 2026

MAL-2026-5727

Malicious code in vite-config-optimizer (npm)

Published Jun 13, 2026

MAL-2026-5728

Malicious code in vite-config-react (npm)

Published Jun 13, 2026

MAL-2025-191384

Malicious code in @voiceflow/vitest-config (npm)

Published Nov 25, 2025

MAL-2025-191600

Malicious code in vite-dynamic-chunks (npm)

Published Dec 1, 2025

MAL-2025-717

Malicious code in vite-paypal (npm)

Published Jan 31, 2025

MAL-2026-6088

Malicious code in vite-common-utils (npm)

Published Jun 17, 2026

Check your entire dependency tree at onceRun dependency scan →