CVE-2025-31125
Published Mar 31, 2025
Last updated a month ago
AI description
CVE-2025-31125 is an arbitrary file read vulnerability that affects Vite, a frontend tooling framework for JavaScript. The vulnerability exists because Vite exposes the content of non-allowed files when using `?inline&import` or `?raw?import`. Exploitation is possible if the Vite development server is exposed to the network using the `--host` or `server.host` configuration options. An unauthenticated attacker can exploit this vulnerability by crafting malicious HTTP requests to read arbitrary files on the server, potentially leading to sensitive information leakage. Users can mitigate this vulnerability by updating to versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, or 4.5.11. If upgrading is not immediately feasible, restricting access to the Vite development server can provide temporary relief.
- Description
- Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- vite
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
Data from CISA
- Vulnerability name
- Vite Vitejs Improper Access Control Vulnerability
- Exploit added on
- Jan 22, 2026
- Exploit action due
- Feb 12, 2026
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- security-advisories@github.com
- CWE-200
- nvd@nist.gov
- NVD-CWE-noinfo
- Hype score
- Not currently trending
【MBSD-SOCの検知傾向トピックス】 2026年1月分#MBSD#SOCの検知傾向トピックスを公開しました。 今月は、Webアプリケーションの開発者フレームワークであるViteの脆弱性(CVE-2025-30208, CVE-2025-31125)を狙った攻撃が増
@mbsdnews
17 Feb 2026
2024 Impressions
6 Retweets
18 Likes
8 Bookmarks
0 Replies
0 Quotes
🛡️ Heads up! Cloudflare WAF is adding new protections against Zimbra & Vite vulnerabilities (CVE-2025-68645 & CVE-2025-31125) on Feb 9th. Stay secure with our proactive threat detection! 🚀 https://t.co/0IT2wg9qnr
@mveracf
6 Feb 2026
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Active Vite dev-server zero-day (CVE-2025-31125) leaks “denied” files via ?inline/?raw import bypass UpGuard reports active exploitation of CVE-2025-31125 in Vite where attackers can bypass `server.fs.deny` using query strings like `?inline&import` or `?raw&impo
@ThreatSynop
28 Jan 2026
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CISA Flags Actively Exploited Vite, Prettier, Versa, and Zimbra Flaws in KEV Catalog CISA added four actively exploited issues to its KEV list, including Vite file exposure (CVE-2025-31125), a Versa Concerto auth bypass (CVE-2025-34026), a compromised eslint-config-prettier
@ThreatSynop
26 Jan 2026
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-68645 CVE-2025-34026 CVE-2025-31125 CVE-2025-54313 CISA Updates KEV Catalog with Four Actively Exploited Software Vulnerabilities Jan 23, 2026 https://t.co/8V92lYMDDx
@tdatwja
24 Jan 2026
317 Impressions
0 Retweets
3 Likes
0 Bookmarks
1 Reply
0 Quotes
CISA KEV update: 4 vulnerabilities are confirmed exploited in the wild: Versa Concerto (CVE-2025-34026), Zimbra Classic UI (CVE-2025-68645), Vite dev server exposure (CVE-2025-31125), and a eslint-config-prettier supply chain trojan (CVE-2025-54313). What to patch and check:
@Anavem_
23 Jan 2026
786 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
"Arbitrary File Read Vulnerability in Vite (CVE-2025-31125)" by Sharon #DEVCommunity #Vite #vulnerabilities #cybersecurity https://t.co/TYJ3fdYsuU
@Sharon18866
5 Jun 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Arbitrary File Read Vulnerability in Vite (CVE-2025-31125) https://t.co/YYiWsqt9DP
@MatthewThomz
5 Jun 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2025-3776 2 - CVE-2025-31125 3 - CVE-2025-31161 4 - CVE-2018-17144 5 - CVE-2025-26529 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
5 May 2025
15 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 #CVE-2025-31125: Vitejs Vulnerability Analysis https://t.co/6E2aSdw5kI Educational Purposes!
@UndercodeUpdate
5 May 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Vite.js has 72k stars on GitHub ⭐ CVE-2025-31125 Severity: High PoC Video: https://t.co/XKF12w8eq5 GitHub PoC: https://t.co/SNo2X1iXaA #Vitejs #CVE2025 #BugBounty 🛡️ https://t.co/yXHXc989Z7
@wgujjer11
3 May 2025
3936 Impressions
24 Retweets
94 Likes
47 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-31125 - medium 🚨 Vite Development Server - Path Traversal > Path traversal vulnerability in Vite development server's @fs endpoint allows attacke... 👾 https://t.co/xA37HBgCE6 @pdnuclei #NucleiTemplates #cve
@pdnuclei_bot
9 Apr 2025
129 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Nuclei CVE-2025-31125 POC GET /etc/passwd?import&?inline=1.wasm?init GET /C://windows/win.ini?import&?inline=1.wasm?init fofa-query: body="/@vite/client" https://t.co/0BkUKm8B2s
@kala14254511439
1 Apr 2025
88 Impressions
0 Retweets
2 Likes
3 Bookmarks
0 Replies
0 Quotes
#CVE-2025-31125 Vite New Bypass Reproduced on 6.2.1 https://t.co/3TpIJLLY9c https://t.co/PrPbgMb00I
@_r00tuser
1 Apr 2025
77 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-31125 the new bypass of vite file read https://t.co/g12bQj23I0
@sirifu4k1
1 Apr 2025
447 Impressions
2 Retweets
4 Likes
5 Bookmarks
0 Replies
0 Quotes
CVE-2025-31125 Information Disclosure Vulnerability in Vite JavaScript Framework Affecting Network-Exposed Servers https://t.co/6ZxYDy1hKh
@VulmonFeeds
31 Mar 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-31125 Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the … https://t.co/VxjCQGC5wz
@CVEnew
31 Mar 2025
248 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "7A30C04F-CD9B-4205-BC89-9C9FE6C4B8D4",
"versionEndExcluding": "4.5.11"
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "B4B2C2B8-B924-4101-922A-F7164B58F683",
"versionEndExcluding": "5.4.16",
"versionStartIncluding": "5.0.0"
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "4E94BAC6-64A0-4514-85EA-E307E267D688",
"versionEndExcluding": "6.0.13",
"versionStartIncluding": "6.0.0"
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "7E8A7AC3-D23F-44DA-B505-59CE155792DB",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "6.1.0"
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "B3710ACF-96C0-4931-A5A1-7810D116AADE",
"versionEndExcluding": "6.2.4",
"versionStartIncluding": "6.2.0"
}
],
"operator": "OR"
}
]
}
]