What is CVE-2025-62522?

### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` when the dev server is running on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - running the dev server on Windows ### Details `server.fs.deny` can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass by using a back slash(`\`). The root cause is that `fs.readFile('/foo.png/')` loads `/foo.png`. ### PoC ```shell npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env\ http://localhost:5173 ```

What is the severity of CVE-2025-62522?

CVE-2025-62522 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2025-62522?

No known public exploits are currently available for CVE-2025-62522.

Is there a patch available for CVE-2025-62522?

Yes, patches are available for CVE-2025-62522. Check the vendor advisories for update instructions.

CVE-2025-62522

Published: February 5, 2026

Last updated:8 hours ago (February 5, 2026)

Exploit: NoZero-day: NoPatch: YesTrend: Neutral

TL;DR

Updated February 5, 2026

CVE-2025-62522 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.

Key Points

1Low severity (CVSS 0.0/10)
2EPSS: 2.00% - moderate likelihood of exploitation
3No known public exploits
4Vendor patches are available

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score2.0

None

Exploitation LikelihoodLow

2.00%EPSS

Lower probability of exploitation

Patch during regular maintenance

2.00%

EPSS

0.0

CVSS

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Impact

Only apps that match the following conditions are affected:

explicitly exposes the Vite dev server to the network (using --host or server.host config option)
running the dev server on Windows

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is that fs.readFile('/foo.png/') loads /foo.png.

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com

Trend Analysis

Neutral

Advisories

GitHub Advisory NVD

Cite This Page

APA Format

Strobes VI. (2026). CVE-2025-62522 - CVE Details and Analysis. Strobes VI. Retrieved February 5, 2026, from https://vi.strobes.co/cve/CVE-2025-62522

Quick copy link + title

Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.