CVE-2025-24010: Websites were able to send any requests to the development server and read the response in vite

January 21, 2025 (updated February 7, 2025)

Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.

[!WARNING] This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network.

References

github.com/advisories/GHSA-vg6x-rcgg-rjx6
github.com/vitejs/vite
github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6
nvd.nist.gov/vuln/detail/CVE-2025-24010

Code Behaviors & Features

Detect and mitigate CVE-2025-24010 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →