CVE-2025-24010: Vite Development Servers Vulnerable to Cross-Origin Request Interception

A critical vulnerability in Vite, the widely-used frontend build tool, has been identified and patched. The security flaw, tracked as CVE-2025-24010 and catalogued as GHSA-vg6x-rcgg-rjx6, allowed malicious websites to send arbitrary requests to Vite development servers and read the responses. This vulnerability represents a significant attack surface for developers working in local development environments.

The issue affected Vite versions prior to 6.0.0, specifically the 5.4.10 release and earlier. The vulnerability enabled any website to bypass browser-origin restrictions and interact directly with locally running development servers, potentially exposing sensitive API keys, internal endpoints, or session data that developers inadvertently exposed during local testing. The security advisory was published through GitHub's coordinated vulnerability disclosure program, with the fix implemented in Vite version 6.0.0.

Developers and organizations using Vite for frontend development should immediately verify their installation versions and upgrade to the latest release. The vulnerability particularly impacts teams running microservices architectures locally, where development servers often proxy requests to internal backend services. Security researchers warned that the attack vector could be exploited through compromised advertising networks, malicious links, or cross-site scripting scenarios. Automated dependency management tools like Renovate have already begun propagating the security update across affected repositories, though manual verification remains advisable for critical infrastructure.