Nixpkgs Security Tracker

Login with GitHub

Suggestions search

Untriaged

Filter by:

With package: python312Packages.django-vite

Found 1 matching suggestions

View:

Compact

Detailed

Permalink CVE-2025-31125

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

updated 2 months ago by @fricklerhandwerk Activity log

Created automatic suggestion 2 months ago
@fricklerhandwerk removed
2 maintainers
- @sephii
- @urandom2
2 months ago
@fricklerhandwerk added maintainer @urandom2 2 months ago

Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

References

https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8 x_refsource_CONFIRM
https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949 x_refsource_MISC
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8 exploit
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8 x_refsource_CONFIRM
https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949 x_refsource_MISC
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8 exploit
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025… government-resource
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8 x_refsource_CONFIRM
https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949 x_refsource_MISC
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8 exploit
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025… government-resource

Affected products

vite

==< 4.5.11
==>= 5.0.0, < 5.4.16
==>= 6.0.0, < 6.0.13
==>= 6.1.0, < 6.1.3
==>= 6.2.0, < 6.2.4

Matching in nixpkgs

pkgs.vite

Visual Trace Explorer (ViTE), a tool to visualize execution traces

nixos-unstable 1.4
- nixpkgs-unstable 1.4
- nixos-unstable-small 1.4

pkgs.vitess

Database clustering system for horizontal scaling of MySQL

nixos-unstable 22.0.1
- nixpkgs-unstable 22.0.1
- nixos-unstable-small 22.0.1

pkgs.vitetris

Terminal-based Tetris clone by Victor Nilsson

nixos-unstable 0.59.1
- nixpkgs-unstable 0.59.1
- nixos-unstable-small 0.59.1

pkgs.python312Packages.django-vite

Integration of ViteJS in a Django project

nixos-unstable 3.1.0
- nixpkgs-unstable 3.1.0
- nixos-unstable-small 3.1.0

pkgs.python313Packages.django-vite

Integration of ViteJS in a Django project

nixos-unstable 3.1.0
- nixpkgs-unstable 3.1.0
- nixos-unstable-small 3.1.0

Package maintainers

@urandom2 Colin Arnott <colin@urandom.co.uk>
@siers Raitis Veinbahs <veinbahs+nixpkgs@gmail.com>

Ignored maintainers (1)

@sephii Sylvain Fankhauser <sephi@fhtagn.top>

1