🟑 CVE-2025-31125

Vite development server vulnerability allows bypass of filesystem restrictions to expose sensitive files via crafted URLs with ?inline&import or ?raw&import parameters. Only affects Vite dev servers explicitly exposed to the network using --host configuration.

← Back to Overview
MEDIUM_RISK
Risk Level
5.3
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 β€” Exploit Public-Facing Application
ATT&CK Technique
MEDIUM
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-03-31

Added to CISA KEV: 2026-01-22 297 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2026-06-04)

CVE-2025-31125 is a critical security vulnerability affecting Vite, a popular frontend tooling framework for JavaScript. Below is a summary of the known details regarding this flaw.

Vulnerability Overview
  • Nature of Vulnerability: This is an improper access control flaw that allows for arbitrary file reading [1] [6].
  • Mechanism: Vite incorrectly exposes the content of non-allowed files when specific query parameters, such as `?inline&import` or `?raw&import`, are appended to requests [4] [7].
  • Impact: Successful exploitation allows an attacker to retrieve sensitive files from the server hosting the Vite development environment [3].
Exploitation and Threat Landscape
  • Active Exploitation: The vulnerability is confirmed to be actively exploited in the wild. It was officially added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog on January 22, 2026 [2].
  • Attack Requirements:
* Network Access: Exploitation is only possible if the Vite development server is explicitly exposed to the network (e.g., using the `--host` flag or configuring `server.host` in the Vite settings) [1] [5]. * User Interaction: No complex user interaction is typically required; the attack is performed by sending specially crafted HTTP requests to the exposed server.
  • Threat Actor Usage: While specific threat actor attribution is not detailed in public records, the inclusion in the CISA KEV catalog indicates widespread interest and usage by malicious actors for unauthorized data access [2].
  • Proof-of-Concept (PoC): Publicly available PoC scripts exist that demonstrate how to leverage this vulnerability to perform path traversal and retrieve sensitive files [3].
Mitigation and Patch Status
  • Affected Versions: The vulnerability affects versions of Vite prior to the patch release.
  • Patch Status: The issue has been addressed and patched in vite@6.2.4 [5].
  • Recommendation: Users are strongly advised to update to the patched version immediately. Additionally, ensure that development servers are not exposed to untrusted networks, as this is a prerequisite for the vulnerability to be reachable [1].

Sources

  1. NVD - CVE-2025-31125

    CVE-2025-31125 Detail Description Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

  2. CISA Adds Four Known Exploited Vulnerabilities to Catalog

    CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-31125…

  3. 0xgh057r3c0n/CVE-2025-31125: Vite WASM Import Path Traversal ...

    This script is a proof-of-concept (PoC) exploit for CVE-2025-31125, a vulnerability found in Vite. The exploit leverages a WASM Import Path Traversal issue. ... This script is a proof-of-concept (PoC) exploit for CVE-2025-31125, a vulnerability found in Vite. The exploit leverages a WASM Import Path…

  4. CVE-2025-31125 Detail - NVD

    Description. Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import.

  5. CVE-2025-31125 - GitHub Advisory Database

    Vite, a JavaScript dev server, has a vulnerability that allows reading arbitrary files via ?import query. The issue affects only apps exposing the Vite dev server to the network and has been patched in vite@6.2.4.

  6. Actively Exploited Vite Vitejs Vulnerability (CVE-2025-31125)

    The incident involves CVE-2025-31125, an improper access control flaw in Vite that allows unauthorized exposure of sensitive files. By bypassing ...

  7. CVE-2025-31125 - Red Hat Customer Portal

    A flaw was found in the Vite Node.js package. Vite exposes content of non-allowed files using ?inline&import or ?raw?import .

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed