The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-32395

CVE-2025-32395: Vite Information Disclosure Vulnerability

CVE-2025-32395 is an information disclosure vulnerability in Vite dev server that allows attackers to access arbitrary files when running on Node or Bun. This article covers technical details, affected versions, and mitigation.

Updated: January 22, 2026

CVE-2025-32395 Overview

CVE-2025-32395 is an information disclosure vulnerability in Vite, a popular frontend tooling framework for JavaScript. The vulnerability allows attackers to bypass the server.fs.deny security control and read arbitrary files from the development server when it is exposed to the network and running on Node.js or Bun runtimes.

The flaw stems from improper handling of HTTP requests containing the # character in the request target. While HTTP 1.1 (RFC 9112) and HTTP 2 specifications do not allow # in request-target and recommend rejecting such requests with 400 or 301 status codes, Node.js and Bun pass these malformed requests to user land code without rejection. Vite's security check assumed req.url would never contain #, allowing attackers to craft requests that bypass the file system access restrictions.

Critical Impact

Attackers can read sensitive configuration files, environment variables, source code, and other confidential data from development servers exposed to the network.

Affected Products

  • Vite versions prior to 6.2.6
  • Vite versions prior to 6.1.5
  • Vite versions prior to 6.0.15
  • Vite versions prior to 5.4.18
  • Vite versions prior to 4.5.13

Discovery Timeline

  • 2025-04-10 - CVE-2025-32395 published to NVD
  • 2025-04-11 - Last updated in NVD database

Technical Details for CVE-2025-32395

Vulnerability Analysis

This vulnerability falls under the CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) category. The security issue exists in how Vite processes incoming HTTP requests when validating file access against the server.fs.deny configuration.

Vite's development server includes a security feature (server.fs.deny) that restricts which files can be served to clients. However, the validation logic did not account for the possibility that req.url could contain the # fragment identifier character. On Node.js and Bun runtimes, HTTP requests with invalid request-lines containing # are not rejected at the HTTP parsing layer and instead propagate to the application code with the # character intact in http.IncomingMessage.url.

This behavior creates a security bypass where an attacker can craft HTTP requests that include # in the request target to evade Vite's file path validation, ultimately gaining access to files that should be restricted by server.fs.deny.

Root Cause

The root cause is an assumption in Vite's request URL validation logic that the req.url value would never contain the # character. This assumption is based on HTTP specification requirements, but fails to account for runtime-specific behavior where Node.js and Bun do not reject these malformed requests at the HTTP protocol layer. The discrepancy between specification requirements and actual runtime behavior creates a validation bypass vulnerability.

Attack Vector

The attack requires network access to the Vite development server. An attacker can exploit this vulnerability by:

  1. Identifying a Vite development server exposed to the network (using --host flag or server.host configuration)
  2. Crafting HTTP requests with # characters in the request target to bypass server.fs.deny validation
  3. Requesting sensitive files such as .env files, configuration files, or source code
  4. Receiving the contents of restricted files in the HTTP response

The vulnerability specifically affects servers running on Node.js or Bun runtimes. Deno-based deployments are not affected as Deno properly rejects these malformed HTTP requests.

The malicious request exploits the discrepancy between HTTP specification requirements and the actual behavior of Node.js and Bun HTTP parsing. By including a # character in the request path, attackers can manipulate how Vite's server.fs.deny check processes the file path, causing it to fail validation while the underlying file system operation succeeds.

Detection Methods for CVE-2025-32395

Indicators of Compromise

  • HTTP access logs showing unusual requests with # characters in URLs targeting sensitive file paths
  • Requests attempting to access files like .env, package.json, or files outside the expected web root
  • Unexpected file read operations on the development server from external IP addresses
  • Network connections to development server ports (typically 5173) from untrusted sources

Detection Strategies

  • Implement network monitoring for HTTP requests containing # characters in the request-target
  • Configure web application firewalls to alert on or block requests with malformed URL patterns
  • Review development server access logs for requests targeting sensitive files or directories
  • Monitor for unusual outbound data transfers from development environments

Monitoring Recommendations

  • Enable verbose logging on Vite development servers when exposed to any network
  • Implement file integrity monitoring on sensitive configuration files in development environments
  • Set up alerts for any external access attempts to development server ports
  • Review network segmentation to ensure development servers are not unnecessarily exposed

How to Mitigate CVE-2025-32395

Immediate Actions Required

  • Update Vite to one of the patched versions: 6.2.6, 6.1.5, 6.0.15, 5.4.18, or 4.5.13
  • Avoid exposing Vite development servers to untrusted networks until patched
  • Remove --host flag or server.host configuration if network exposure is not required
  • Audit access logs for any signs of exploitation attempts

Patch Information

The vulnerability has been fixed in multiple Vite versions across different release branches. The fix is available in the GitHub commit 175a8390. Organizations should update to the following patched versions based on their current branch:

Current BranchPatched Version
6.2.x6.2.6
6.1.x6.1.5
6.0.x6.0.15
5.4.x5.4.18
4.5.x4.5.13

For complete technical details and additional context, refer to the GitHub Security Advisory GHSA-356w-63v5-8wf4.

Workarounds

  • Bind Vite development server to localhost only (remove --host flag and server.host configuration)
  • Use a reverse proxy with request validation to filter malformed HTTP requests before they reach Vite
  • Run the development server on Deno runtime which properly rejects these malformed requests
  • Implement network-level access controls to restrict who can reach the development server
bash
# Configuration example
# Remove network exposure from vite.config.js
# Before (vulnerable if running on Node/Bun):
# export default {
#   server: {
#     host: true
#   }
# }

# After (secure - localhost only):
export default {
  server: {
    host: false  # or remove the host option entirely
  }
}

# Update Vite to patched version
npm update vite
# or
yarn upgrade vite
# or
pnpm update vite

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechVite
  • SeverityMEDIUM
  • CVSS Score6.0
  • EPSS Probability0.04%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-200
  • Technical References
  • GitHub Commit Details
  • GitHub Security Advisory GHSA-356w-63v5-8wf4
  • Related CVEs
  • CVE-2026-39364: Vite Information Disclosure Vulnerability
  • CVE-2026-39363: Vite Information Disclosure Vulnerability
  • CVE-2025-31486: Vite Information Disclosure Vulnerability
  • CVE-2024-31207: Vite Information Disclosure Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English