CVE-2025-31125

Published Mar 31, 2025

Last updated 3 months ago

Exploit knownCVSS medium 5.3
JavaScript
Vite

Overview

Description
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Source
security-advisories@github.com
NVD status
Analyzed
Products
vite

Risk scores

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
Vite Vitejs Improper Access Control Vulnerability
Exploit added on
Jan 22, 2026
Exploit action due
Feb 12, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

security-advisories@github.com
CWE-200
nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score
Not currently trending

  1. 🛡️ Alerta de Seguridad: Vulnerabilidad de Control de Acceso Improper en Vite Vitejs (CVE-2025-31125) Vite Vitejs presenta una vulnerabilidad de control de acceso improper (CWE-200, CWE-284) que expone contenido de archivos no permitidos mediante parámetros ?inline&impor

    @CiberPlanetaOrg

    16 Mar 2026

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 【MBSD-SOCの検知傾向トピックス】 2026年1月分#MBSD#SOCの検知傾向トピックスを公開しました。 今月は、Webアプリケーションの開発者フレームワークであるViteの脆弱性(CVE-2025-30208, CVE-2025-31125)を狙った攻撃が増

    @mbsdnews

    17 Feb 2026

    2024 Impressions

    6 Retweets

    18 Likes

    8 Bookmarks

    0 Replies

    0 Quotes

  3. 🛡️ Heads up! Cloudflare WAF is adding new protections against Zimbra & Vite vulnerabilities (CVE-2025-68645 & CVE-2025-31125) on Feb 9th. Stay secure with our proactive threat detection! 🚀 https://t.co/0IT2wg9qnr

    @mveracf

    6 Feb 2026

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 Active Vite dev-server zero-day (CVE-2025-31125) leaks “denied” files via ?inline/?raw import bypass UpGuard reports active exploitation of CVE-2025-31125 in Vite where attackers can bypass `server.fs.deny` using query strings like `?inline&import` or `?raw&impo

    @ThreatSynop

    28 Jan 2026

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨 CISA Flags Actively Exploited Vite, Prettier, Versa, and Zimbra Flaws in KEV Catalog CISA added four actively exploited issues to its KEV list, including Vite file exposure (CVE-2025-31125), a Versa Concerto auth bypass (CVE-2025-34026), a compromised eslint-config-prettier

    @ThreatSynop

    26 Jan 2026

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-68645 CVE-2025-34026 CVE-2025-31125 CVE-2025-54313 CISA Updates KEV Catalog with Four Actively Exploited Software Vulnerabilities Jan 23, 2026 https://t.co/8V92lYMDDx

    @tdatwja

    24 Jan 2026

    317 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. CISA KEV update: 4 vulnerabilities are confirmed exploited in the wild: Versa Concerto (CVE-2025-34026), Zimbra Classic UI (CVE-2025-68645), Vite dev server exposure (CVE-2025-31125), and a eslint-config-prettier supply chain trojan (CVE-2025-54313). What to patch and check:

    @Anavem_

    23 Jan 2026

    786 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. "Arbitrary File Read Vulnerability in Vite (CVE-2025-31125)" by Sharon #DEVCommunity #Vite #vulnerabilities #cybersecurity https://t.co/TYJ3fdYsuU

    @Sharon18866

    5 Jun 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Arbitrary File Read Vulnerability in Vite (CVE-2025-31125) https://t.co/YYiWsqt9DP

    @MatthewThomz

    5 Jun 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Top 5 Trending CVEs: 1 - CVE-2025-3776 2 - CVE-2025-31125 3 - CVE-2025-31161 4 - CVE-2018-17144 5 - CVE-2025-26529 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    5 May 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 🚨 #CVE-2025-31125: Vitejs Vulnerability Analysis https://t.co/6E2aSdw5kI Educational Purposes!

    @UndercodeUpdate

    5 May 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Vite.js has 72k stars on GitHub ⭐ CVE-2025-31125 Severity: High PoC Video: https://t.co/XKF12w8eq5 GitHub PoC: https://t.co/SNo2X1iXaA #Vitejs #CVE2025 #BugBounty 🛡️ https://t.co/yXHXc989Z7

    @wgujjer11

    3 May 2025

    3936 Impressions

    24 Retweets

    94 Likes

    47 Bookmarks

    0 Replies

    0 Quotes

  13. 🚨 CVE-2025-31125 - medium 🚨 Vite Development Server - Path Traversal > Path traversal vulnerability in Vite development server's @fs endpoint allows attacke... 👾 https://t.co/xA37HBgCE6 @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    9 Apr 2025

    129 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Nuclei CVE-2025-31125 POC GET /etc/passwd?import&?inline=1.wasm?init GET /C://windows/win.ini?import&?inline=1.wasm?init fofa-query: body="/@vite/client" https://t.co/0BkUKm8B2s

    @kala14254511439

    1 Apr 2025

    88 Impressions

    0 Retweets

    2 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  15. #CVE-2025-31125 Vite New Bypass Reproduced on 6.2.1 https://t.co/3TpIJLLY9c https://t.co/PrPbgMb00I

    @_r00tuser

    1 Apr 2025

    77 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  16. CVE-2025-31125 the new bypass of vite file read https://t.co/g12bQj23I0

    @sirifu4k1

    1 Apr 2025

    447 Impressions

    2 Retweets

    4 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  17. CVE-2025-31125 Information Disclosure Vulnerability in Vite JavaScript Framework Affecting Network-Exposed Servers https://t.co/6ZxYDy1hKh

    @VulmonFeeds

    31 Mar 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. CVE-2025-31125 Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the … https://t.co/VxjCQGC5wz

    @CVEnew

    31 Mar 2025

    248 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.CVE-2025-58752
  2. Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.CVE-2025-58751
  3. User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request.CVE-2025-55346
  4. Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.CVE-2025-46565
  5. React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.CVE-2025-31137

References

Sources include official advisories and independent security research.