CVE-2025-31125

Summary

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using –host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

Affected Software

VendorProductVersion RangeStatus
vitejsvite>= 6.2.0, < 6.2.4affected
vitejsvite>= 6.1.0, < 6.1.3affected
vitejsvite>= 6.0.0, < 6.0.13affected
vitejsvite>= 5.0.0, < 5.4.16affected
vitejsvite< 4.5.11affected

Weaknesses

  • CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: no
    • Technical Impact: total

Additional References

References