Vite has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.

How do I install Vite?

Install Vite via npm: `npx vite`. Then add it to your MCP client config file.

What AI clients work with Vite?

Vite is compatible with Claude Desktop, Cursor, Claude Code, and most MCP clients that support stdio transport. It uses stdio transport.

Is Vite actively maintained?

Vite is actively maintained — last commit was 0 days ago. It has 79,687 GitHub stars.

Vite

Native-ESM powered web dev build tool

ActiveNot tested

Developer Tools

★ 79.7k↓ 85431.4k/wknpm GitHub

49CNo CVEsactive

Quick Install

{
  "mcpServers": {
    "vite": {
      "command": "npx",
      "args": [
        "-y",
        "vite"
      ]
    }
  }
}

Setup guide

Auto-generated from package name. Add to your client's MCP config file.

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/vite)](https://mcppedia.org/s/vite)

Should you use this server?

Native-ESM powered web dev build tool

✓

Is it safe?

No known CVEs for vite. 21 previously resolved.

No authentication — any process on your machine can connect.

License not specified.

✓

Is it maintained?

Last commit 0 days ago. 79,687 stars. 85,431,406 weekly downloads.

Will it work with my client?

Transport: stdio. Works with Claude Desktop, Cursor, Claude Code, and most MCP clients.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'vite' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Score Breakdown

MCPpedia Score

Click each category to see evidence

49C

Last scored 21h ago

How we score →

Security

20/30

No open vulnerabilities. 21 fixed CVEs.

✓

Known CVEs — No known CVEs for vitecheck OSV.dev

○

Tool safety — No tools to analyze

○

Tool poisoning — No tools to analyze

○

Injection vectors — No tools to analyze

✓

Tool stability — Tool definitions stable

○

Dependency health — found on deps.dev, recently updated

✗

License — No license specified

○

Authentication — No authentication required

○

Repository — active repo

Advisories (0 open, 21 fixed)

mediumCVSS 4GHSA-4w7w-66w2-5vf9Fixed

Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling

### Summary Any files ending with `.map` even out side the project can be returned to the browser. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - have a sensitive content in files ending with `.map` and the path is predictable ### Details In Vite v7.3.1, the dev server’s handling of `.map` requests for

Affected: >= 8.0.0Fixed in 8.0.5Published Apr 6, 2026source \u2192

mediumCVSS 4CVE-2026-39365Fixed

Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling

Affected: >= 8.0.0Fixed in 8.0.5Published Apr 6, 2026source \u2192

CVEs checked daily via OSV.dev. Score algorithm is open source.

Frequently Asked Questions

Is Vite safe to use?: Vite has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install Vite?: Install Vite via npm: `npx vite`. Then add it to your MCP client config file.
What AI clients work with Vite?: Vite is compatible with Claude Desktop, Cursor, Claude Code, and most MCP clients that support stdio transport. It uses stdio transport.
Is Vite actively maintained?: Vite is actively maintained — last commit was 0 days ago. It has 79,687 GitHub stars.

mediumCVSS 4GHSA-v2wj-q39q-566rFixed

Vite: `server.fs.deny` bypassed with queries

### Summary The contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - the sensitive file exists in the allowed directories specified by [`server.fs.allow`](https://vi

Affected: >= 8.0.0Fixed in 8.0.5Published Apr 6, 2026source \u2192

mediumCVSS 4CVE-2026-39364Fixed

Vite: `server.fs.deny` bypassed with queries

Affected: >= 8.0.0Fixed in 8.0.5Published Apr 6, 2026source \u2192

mediumCVSS 4CVE-2026-39363Fixed

Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket

### Summary [`server.fs`](https://vite.dev/config/server-options#server-fs-strict) check was not enforced to the `fetchModule` method that is exposed in Vite dev server's WebSocket. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - WebSocket is not disabled by `server.ws: false` Arbitrary files on the ser

Affected: >= 8.0.0Fixed in 8.0.5Published Apr 6, 2026source \u2192

mediumCVSS 4CVE-2025-62522Fixed

vite allows server.fs.deny bypass via backslash on Windows

### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` when the dev server is running on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - running the dev server on Windows ### Details `server.fs.deny` can contai

Affected: >= 7.1.0Fixed in 7.1.11Published Oct 20, 2025source \u2192

mediumCVSS 4CVE-2025-58751Fixed

Vite middleware may serve files starting with the same name with the public directory

### Summary Files starting with the same name with the public directory were served bypassing the `server.fs` settings. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - uses [the public directory feature](https://vite.dev/guide/assets.html#the-public-directory) (enabled by default) - a symlink exists in the pu

Affected: >= 7.1.0Fixed in 7.1.5Published Sep 9, 2025source \u2192

mediumCVSS 4CVE-2025-58752Fixed

Vite's `server.fs` settings were not applied to HTML files

### Summary Any HTML files on the machine were served regardless of the `server.fs` settings. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) - `appType: 'spa'` (default) or `appType: 'mpa'` is used This vulnerability also affects the preview server. The preview server allowed HTML files not under the output di

Affected: >= 7.1.0Fixed in 7.1.5Published Sep 9, 2025source \u2192

mediumCVSS 4CVE-2025-46565Fixed

Vite's server.fs.deny bypassed with /. for files under project root

### Summary The contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching pattern can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. Only files that are under [project `root`](https://vite.dev/config/shared-options.html#root) and are denied by a file ma

Affected: >= 6.3.0Fixed in 6.3.4Published Apr 30, 2025source \u2192

mediumCVSS 4CVE-2025-32395Fixed

Vite has an `server.fs.deny` bypass with an invalid `request-target`

### Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. ### Impact Only apps with the following conditions are affected. - explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) - running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) ### Details [HTTP 1.1 spec (RFC 9112) does not allow `#` in `request-tar

Affected: >= 6.2.0Fixed in 6.2.6Published Apr 11, 2025source \u2192

lowCVSS 3.1CVE-2025-31486Fixed

Vite allows server.fs.deny to be bypassed with .svg or relative paths

### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Details #### `.svg` Requests ending with `.svg` are loaded at this line. https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290 By adding `?.svg` w

Affected: >= 6.2.0Fixed in 6.2.5Published Apr 4, 2025source \u2192

lowCVSS 3.1CVE-2025-31125Fixed

Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Details - base64 encoded content of non-allowed files is exposed using `?inline&import` (originally reported as `?import&?inline=1.wasm?init`) - content of non-allowed files is exposed using `?raw?import` `/@fs/` isn

Affected: >= 6.2.0Fixed in 6.2.4Published Mar 31, 2025source \u2192

lowCVSS 3.1CVE-2025-30208Fixed

Vite bypasses server.fs.deny when using ?raw??

### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Details `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trail

Affected: >= 6.2.0Fixed in 6.2.3Published Mar 25, 2025source \u2192

lowCVSS 3.1CVE-2025-24010Fixed

Websites were able to send any requests to the development server and read the response in vite

### Summary Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. > [!WARNING] > This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network. ### Upgrade Path Users that does not match either of the following conditions should be able to upgrade to a newer version of Vit

Affected: >= 6.0.0Fixed in 6.0.9Published Jan 21, 2025source \u2192

lowCVSS 3.1CVE-2024-45812Fixed

Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

### Summary We discovered a DOM Clobbering vulnerability in Vite when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. Note that, we have identified similar security issues in Webpack: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986 ### Details **Backgro

Affected: >= 5.4.0Fixed in 5.4.6Published Sep 17, 2024source \u2192

lowCVSS 3.1CVE-2024-45811Fixed

Vite's `server.fs.deny` is bypassed when using `?import&raw`

### Summary The contents of arbitrary files can be returned to the browser. ### Details `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. ### PoC ```sh $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev $ echo "top secret content" > /tmp/secret.txt # expected behaviour $ curl "http://localhost:5173/@fs/tmp/secret.txt" <body> <h1>403 Restricted</h1

Affected: >= 5.4.0Fixed in 5.4.6Published Sep 17, 2024source \u2192

lowCVSS 3.1CVE-2024-31207Fixed

Vite's `server.fs.deny` did not deny requests for patterns with directories.

### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/**/*`. ### Impact Only apps setting a custom `server.fs.deny` that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### P

Affected: >= 2.7.0Fixed in 2.9.18Published Apr 3, 2024source \u2192

lowCVSS 3.1CVE-2024-23331Fixed

Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. ### Patches Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17 ### Details Since `pi

Affected: >= 2.7.0Fixed in 2.9.17Published Jan 19, 2024source \u2192

lowCVSS 3.1CVE-2023-49293Fixed

Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

### Summary When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. ### Impact Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. Th

Affected: >= 4.4.0Fixed in 4.4.12Published Dec 5, 2023source \u2192

lowCVSS 3.1CVE-2023-34092Fixed

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (`//`). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files. ### Steps to Fix. **Update Vite**: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. **Secure the server configuration**: In your `vite.config.js` file, review and update the se

Affected: >= 0Fixed in 2.9.16Published Jun 6, 2023source \u2192

lowCVSS 3.1CVE-2022-35204Fixed

Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service

Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim's service.

Affected: >= 0Fixed in 2.9.13Published Aug 19, 2022source \u2192

Vite

Quick Install

Should you use this server?

Test This Server

Score Breakdown

MCPpedia Score

Help improve this page

Security

Advisories (0 open, 21 fixed)

Reviews

Frequently Asked Questions

Similar servers

XcodeBuildMCP

Gemini Cli

Nitrostack

Mcp Memory Service

Discussion