CVE-2025-24010

Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6	Exploit Third Party Advisory Mitigation

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vitejs:vite::::::node.js::*
	cpe:2.3:a:vitejs:vite::::::node.js::*
	cpe:2.3:a:vitejs:vite::::::node.js::*

History

19 Sep 2025, 18:35

Type	Values Removed	Values Added
First Time		Vitejs vite Vitejs
CPE		cpe:2.3:a:vitejs:vite::::::node.js::*
Summary		(es) Vite es una herramienta de interfaz framework para JavaScript. Vite permitía que cualquier sitio web enviara solicitudes al servidor de desarrollo y leyera la respuesta debido a la configuración CORS predeterminada y la falta de validación en el encabezado Origin para las conexiones WebSocket. Esta vulnerabilidad se solucionó en 6.0.9, 5.4.12 y 4.5.6.
References	~~() https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6 -~~	() https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6 - Exploit, Third Party Advisory, Mitigation

20 Jan 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-20 16:15

Updated : 2025-09-19 18:35

NVD link : CVE-2025-24010

Mitre link : CVE-2025-24010

CVE.ORG link : CVE-2025-24010

JSON object : View

Products Affected

vitejs

vite

CWE

CWE-346

Origin Validation Error

CWE-350

Reliance on Reverse DNS Resolution for a Security-Critical Action

CWE-1385

Missing Origin Validation in WebSockets

{"id": "CVE-2025-24010", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-01-20T16:15:28.730", "references": [{"url": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6", "tags": ["Exploit", "Third Party Advisory", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-346"}, {"lang": "en", "value": "CWE-350"}, {"lang": "en", "value": "CWE-1385"}]}], "descriptions": [{"lang": "en", "value": "Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6."}, {"lang": "es", "value": "Vite es una herramienta de interfaz framework para JavaScript. Vite permit\u00eda que cualquier sitio web enviara solicitudes al servidor de desarrollo y leyera la respuesta debido a la configuraci\u00f3n CORS predeterminada y la falta de validaci\u00f3n en el encabezado Origin para las conexiones WebSocket. Esta vulnerabilidad se solucion\u00f3 en 6.0.9, 5.4.12 y 4.5.6."}], "lastModified": "2025-09-19T18:35:59.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "6A418E00-E3DD-4461-96A8-BC4C22E98F75", "versionEndExcluding": "4.5.5"}, {"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "70C30FA0-1314-408F-A85B-BB3335EC6163", "versionEndExcluding": "5.4.12", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "99D0A251-3C65-4F9F-AD23-B3C3E3DEC93D", "versionEndExcluding": "6.0.9", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}