CVE-2024-45811 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2024-45811 Interim 1 7 2026-03-05T02:08:46Z current 2025-01-18T00:27:07Z 2026-03-05T02:08:46Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2024-45811 Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IL7QOYRPFRGRS6UKU6ZYHI76FWFFUJNK/ E-Mail link for openSUSE-SU-2025:14663-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Server 16.0 SUSE Package Hub 15 SP6 openSUSE Leap 15.6 openSUSE Tumbleweed system-user-velociraptor-1.0.0-160000.2.2 system-user-velociraptor-1.0.0-bp156.3.3.1 velociraptor-0.7.0.4.git142.862ef23-1.1 velociraptor-0.7.0.4.git142.862ef23-bp156.3.3.1 velociraptor-0.7.0.4.git152.fb24dfd-160000.2.2 velociraptor-client-0.7.0.4.git142.862ef23-bp156.3.3.1 velociraptor-client-0.7.0.4.git152.fb24dfd-160000.2.2 system-user-velociraptor-1.0.0-160000.2.2 as a component of SUSE Linux Enterprise Server 16.0 velociraptor-0.7.0.4.git152.fb24dfd-160000.2.2 as a component of SUSE Linux Enterprise Server 16.0 velociraptor-client-0.7.0.4.git152.fb24dfd-160000.2.2 as a component of SUSE Linux Enterprise Server 16.0 system-user-velociraptor-1.0.0-bp156.3.3.1 as a component of SUSE Package Hub 15 SP6 velociraptor-0.7.0.4.git142.862ef23-bp156.3.3.1 as a component of SUSE Package Hub 15 SP6 velociraptor-client-0.7.0.4.git142.862ef23-bp156.3.3.1 as a component of SUSE Package Hub 15 SP6 system-user-velociraptor-1.0.0-bp156.3.3.1 as a component of openSUSE Leap 15.6 velociraptor-0.7.0.4.git142.862ef23-bp156.3.3.1 as a component of openSUSE Leap 15.6 velociraptor-client-0.7.0.4.git142.862ef23-bp156.3.3.1 as a component of openSUSE Leap 15.6 velociraptor-0.7.0.4.git142.862ef23-1.1 as a component of openSUSE Tumbleweed Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2024-45811 SUSE Linux Enterprise Server 16.0:system-user-velociraptor-1.0.0-160000.2.2 SUSE Linux Enterprise Server 16.0:velociraptor-0.7.0.4.git152.fb24dfd-160000.2.2 SUSE Linux Enterprise Server 16.0:velociraptor-client-0.7.0.4.git152.fb24dfd-160000.2.2 SUSE Package Hub 15 SP6:system-user-velociraptor-1.0.0-bp156.3.3.1 SUSE Package Hub 15 SP6:velociraptor-0.7.0.4.git142.862ef23-bp156.3.3.1 SUSE Package Hub 15 SP6:velociraptor-client-0.7.0.4.git142.862ef23-bp156.3.3.1 openSUSE Leap 15.6:system-user-velociraptor-1.0.0-bp156.3.3.1 openSUSE Leap 15.6:velociraptor-0.7.0.4.git142.862ef23-bp156.3.3.1 openSUSE Leap 15.6:velociraptor-client-0.7.0.4.git142.862ef23-bp156.3.3.1 openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1 moderate