cbcvebase.
CVE-2025-31125
published 2025-03-31

CVE-2025-31125: Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly…

PriorityP188high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-02-12
Exploited in the wild
EPSS
62.10%
99.1th percentile
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

Affected

14 ranges
VendorProductVersion rangeFixed in
vitejsvite< 4.5.114.5.11
vitejsvite
vitejsvite
vitejsvite
vitejsvite
vitejsvite>= 0 < 4.5.114.5.11
vitejsvite>= 5.0.0 < 5.4.165.4.16
vitejsvite>= 5.0.0 < 5.4.165.4.16
vitejsvite>= 6.0.0 < 6.0.136.0.13
vitejsvite>= 6.0.0 < 6.0.136.0.13
vitejsvite>= 6.1.0 < 6.1.36.1.3
vitejsvite>= 6.1.0 < 6.1.36.1.3
vitejsvite>= 6.2.0 < 6.2.46.2.4
vitejsvite>= 6.2.0 < 6.2.46.2.4

Detection & IOCsextracted from sources · hover to see the quote

url/@fs/C:/windows/win.ini?import&?inline=1.wasm?init
url/@fs/etc/passwd?import&?inline=1.wasm?init
url/@fs/../../../../../../../etc/passwd?import&?inline=1.wasm?init
url/@fs/%252e%252e/%252e%252e/%252e%252e/etc/passwd?import&?inline=1.wasm?init
path/@fs/
  • Detect exploit attempts by monitoring HTTP requests to the /@fs/ endpoint containing the query string patterns '?import&?inline=' or '?raw?import', particularly combined with '.wasm?init' suffix — the canonical bypass payload format.
  • Alert on HTTP responses from Vite dev servers containing all three of: 'data:application/octet-stream', 'base64', and 'import init' in the body with 'text/javascript' Content-Type header — this indicates successful file exfiltration via the bypass.
  • Use Shodan/FOFA queries to identify exposed Vite dev servers as attack surface: title:"Vite App" (Shodan) or title="Vite App" (FOFA).
  • Flag Vite dev servers started with --host flag or server.host config option as exposed and vulnerable; exploitation is only possible when the dev server is network-accessible.
  • Watch for double URL-encoded path traversal sequences (e.g., %252e%252e) in requests to /@fs/ endpoints, indicating attempts to bypass path normalization controls.
  • ·Only Vite dev servers explicitly exposed to the network are vulnerable. Instances running on localhost only (default behavior, without --host or server.host) are NOT affected.
  • ·The vulnerability bypasses the server.fs.deny configuration — defenders should not rely on server.fs.deny as a compensating control on unpatched versions.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck5.3MEDIUM
cisa7.5HIGH
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.