## Vite v6 Security Update Patches Critical CORS & WebSocket Vulnerability (CVE-2025-24010)
A critical security vulnerability in the Vite development server has prompted a mandatory major version update. The flaw, tracked as CVE-2025-24010, stemmed from default CORS settings and a lack of validation on the Origin header for WebSocket connections. This configuration allowed any website to send requests to a Vite development server and read the responses, creating a significant cross-origin resource sharing (CORS) and WebSocket security risk for developers during local development.

The vulnerability was patched in Vite version 6. The automated dependency management tool Renovate has flagged the update, moving projects from Vite 5.x to the secure Vite 6.x branch. The update is classified with high merge confidence, indicating a low risk of breaking changes, which prioritizes security remediation. The advisory was published via GitHub's security advisory system, directly linking the CVE to the Vite project's official security disclosures.

This incident underscores the persistent security risks in modern web development toolchains, where local development servers can become unintended attack surfaces. The mandatory major version bump signals the severity of the issue, compelling all projects using Vite for development to immediately upgrade to prevent potential data exfiltration or server manipulation during the development phase. It serves as a critical reminder for teams to rigorously monitor and apply security updates for build tools and dev servers, not just production dependencies.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, web_development, vulnerability, CVE-2025-24010, dependency_management
- **Credibility**: unverified
- **Published**: 2026-04-07 14:27:21
- **ID**: 53315
- **URL**: https://whisperx.ai/en/intel/53315