Upstream information
Description
Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
| CNA (GitHub) | |
|---|---|
| Base Score | 4.8 |
| Vector | CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N |
| Attack Vector | Adjacent Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | None |
| Availability Impact | None |
| CVSSv3 Version | 3.1 |
SUSE Security Advisories:
- openSUSE-SU-2025:14663-1, published Sat Jan 18 18:49:59 2025
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2025-14663 |
SUSE Timeline for this CVE
CVE page created: Wed Sep 18 00:00:16 2024CVE page last modified: Sat Jan 18 19:55:30 2025