CVE-2025-24010

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-24010

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24010.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-24010

Aliases

GHSA-vg6x-rcgg-rjx6

Related

CGA-p4pm-9wwf-65wq

Published

2025-01-20T15:53:30.929Z

Modified

2026-05-28T03:55:10.192083011Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Vite allows any websites to send any requests to the development server and read the response

Details

Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.

Database specific

{
    "cwe_ids": [
        "CWE-1385",
        "CWE-346",
        "CWE-350"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24010.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/vitejs/vite

Affected ranges

Type: GIT
Repo: https://github.com/vitejs/vite
Events: Introduced

0c3125833033fec4356ab4e90e806e02e8644c40

Fixed

9e460f58f91f95972ff9683f664fa4df44b6d2af

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24010.json"