Vulnerability

CVE-2025-24010

 Report advisory or correction

CVSS Score 5.9 medium

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-1385

References

https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-24010

[CVE-2025-24010] CWE-1385 CWE-346 CWE-350

Description

Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.

See vite package information