CVE-2025-31125
published 2025-03-31CVE-2025-31125: Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly…
PriorityP188high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-02-12
Exploited in the wild
EPSS
62.10%
99.1th percentile
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vitejs | vite | < 4.5.11 | 4.5.11 |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | >= 0 < 4.5.11 | 4.5.11 |
| vitejs | vite | >= 5.0.0 < 5.4.16 | 5.4.16 |
| vitejs | vite | >= 5.0.0 < 5.4.16 | 5.4.16 |
| vitejs | vite | >= 6.0.0 < 6.0.13 | 6.0.13 |
| vitejs | vite | >= 6.0.0 < 6.0.13 | 6.0.13 |
| vitejs | vite | >= 6.1.0 < 6.1.3 | 6.1.3 |
| vitejs | vite | >= 6.1.0 < 6.1.3 | 6.1.3 |
| vitejs | vite | >= 6.2.0 < 6.2.4 | 6.2.4 |
| vitejs | vite | >= 6.2.0 < 6.2.4 | 6.2.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by monitoring HTTP requests to the /@fs/ endpoint containing the query string patterns '?import&?inline=' or '?raw?import', particularly combined with '.wasm?init' suffix — the canonical bypass payload format. ↗
- →Alert on HTTP responses from Vite dev servers containing all three of: 'data:application/octet-stream', 'base64', and 'import init' in the body with 'text/javascript' Content-Type header — this indicates successful file exfiltration via the bypass. ↗
- →Use Shodan/FOFA queries to identify exposed Vite dev servers as attack surface: title:"Vite App" (Shodan) or title="Vite App" (FOFA). ↗
- →Flag Vite dev servers started with --host flag or server.host config option as exposed and vulnerable; exploitation is only possible when the dev server is network-accessible. ↗
- →Watch for double URL-encoded path traversal sequences (e.g., %252e%252e) in requests to /@fs/ endpoints, indicating attempts to bypass path normalization controls. ↗
- ·Only Vite dev servers explicitly exposed to the network are vulnerable. Instances running on localhost only (default behavior, without --host or server.host) are NOT affected. ↗
- ·The vulnerability bypasses the server.fs.deny configuration — defenders should not rely on server.fs.deny as a compensating control on unpatched versions. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck5.3MEDIUM
cisa7.5HIGH
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Vite Vitejs Improper Access Control Vulnerability
cisa·2026-01-22·CVSS 7.5
CVE-2025-31125 [HIGH] CWE-200 Vite Vitejs Improper Access Control Vulnerability
Vulnerability: Vite Vitejs Improper Access Control Vulnerability
Affected: Vite Vitejs
Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170
Red Hat
vite: Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
vendor_redhat·2025-03-31·CVSS 5.3
CVE-2025-31125 [MEDIUM] CWE-73 vite: Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
vite: Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
A flaw was found in the Vite Node.js package. Vite exposes content of non-allowed files using `?inline&import` or `?raw?import`. Only apps explicitly exposing the Vite dev server to the network (using the `--host` or `server.host` config options) are affected.
Package: automation-controller (Red Hat Ansible Automation Platform 2) - Not affected
Package: automation-eda-controller
OSV
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
osv·2025-03-31
CVE-2025-31125 [MEDIUM] Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
### Summary
The contents of arbitrary files can be returned to the browser.
### Impact
Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.
### Details
- base64 encoded content of non-allowed files is exposed using `?inline&import` (originally reported as `?import&?inline=1.wasm?init`)
- content of non-allowed files is exposed using `?raw?import`
`/@fs/` isn't needed to reproduce the issue for files inside the project root.
### PoC
Original report (check details above for simplified cases):
The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files
GHSA
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
ghsa·2025-03-31
CVE-2025-31125 [MEDIUM] CWE-200 Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
### Summary
The contents of arbitrary files can be returned to the browser.
### Impact
Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.
### Details
- base64 encoded content of non-allowed files is exposed using `?inline&import` (originally reported as `?import&?inline=1.wasm?init`)
- content of non-allowed files is exposed using `?raw?import`
`/@fs/` isn't needed to reproduce the issue for files inside the project root.
### PoC
Original report (check details above for simplified cases):
The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files
VulnCheck
Vite Vitejs Improper Access Control Vulnerability
vulncheck·2025·CVSS 5.3
CVE-2025-31125 [MEDIUM] CWE-200 Vite Vitejs Improper Access Control Vulnerability
Vite Vitejs Improper Access Control Vulnerability
Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Affected: Vite Vitejs
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://cyble.com/blog/cyble-sensors-detects-vulnerabilities/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.recordedfuture.com/blog/january-2026-cve-landscape
Exploit PoC: https://vulncheck.com/xdb/f
No detection rules found.
Nuclei
Vite Development Server - Path Traversal
nuclei·CVSS 7.5
CVE-2025-31125 [HIGH] Vite Development Server - Path Traversal
Vite Development Server - Path Traversal
Path traversal vulnerability in Vite development server's @fs endpoint allows attackers to access files outside the intended directory. When exposed to the network, attackers can exploit this via crafted URLs to access sensitive system files.
Template:
id: CVE-2025-31125
info:
name: Vite Development Server - Path Traversal
author: martian,ritikchaddha,v2htw
severity: medium
description: |
Path traversal vulnerability in Vite development server's @fs endpoint allows attackers to access files outside the intended directory. When exposed to the network, attackers can exploit this via crafted URLs to access sensitive system files.
impact: |
Attackers can exploit path traversal in the @fs endpoint to access files outside the intended directory when t
Bugzilla
CVE-2025-31125 vite: Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
bugzilla·2025-03-31·CVSS 7.5
CVE-2025-31125 [HIGH] CVE-2025-31125 vite: Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
CVE-2025-31125 vite: Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Bleepingcomputer
CISA confirms active exploitation of four enterprise software bugs
blogs_bleepingcomputer·2026-01-23·CVSS 5.3
[MEDIUM] CISA confirms active exploitation of four enterprise software bugs
## CISA confirms active exploitation of four enterprise software bugs
## Bill Toulas
The Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. warned of active exploitation of four vulnerabilities impacting enterprise software from Versa and Zimbra, the Vite frontend tooling framework, and the Prettier code formatter.
The security issues have been added to CISA’s KEV (Known Exploited Vulnerabilities) catalog, indicating that the agency has evidence that hackers are exploiting them in the wild.
One of the vulnerabilities is CVE-2025-31125 , a high-severity improper access control issue disclosed in March last year that can be exploited to expose non-allowed files when the server is explicitly exposed to the network.
The issue affects only exposed dev instances and has bee
Recorded Future
January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
blogs_recorded_future·CVSS 4.9
[MEDIUM] January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
# January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
What security teams need to know:
- APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
- Microsoft and SmarterTools lead concerns: These vendors accounte
https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31125
2025-03-31
Published
2026-01-22
Added to CISA KEV
Exploited in the wild