Home > Vulnerability Database > CVE-2025-62522

Mend.io Vulnerability Database

CVE-2025-62522

Good to know:

Date: October 20, 2025

Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.

Severity Score

6.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-62522

Url: https://github.com/vitejs/vite

Url: https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7

Url: https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed

Url: https://www.mend.io/vulnerability-database/CVE-2025-62522

Severity Score

6.5

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version vite - 7.1.11;vite - 7.0.8;vite - 6.4.1;vite - 5.4.21;vite - 5.4.21;vite - 5.4.21;vite - 5.4.21;https://github.com/vitejs/vite.git - v5.4.21;https://github.com/vitejs/vite.git - v6.4.1;https://github.com/vitejs/vite.git - v7.0.8;https://github.com/vitejs/vite.git - v7.1.11

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-62522

Good to know:

Date: October 20, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?