⚠ Actively exploited
Added to CISA KEV on 2026-01-22. Federal agencies required to patch by 2026-02-12. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..
CVE-2025-31125 — Sensitive Information Exposure in Vite
Severity
7.5HIGHNVD
VulnCheck5.3
EPSS
82.1%
top 0.79%
CISA KEV
KEV
Added 2026-01-22
Due 2026-02-12
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedMar 31
KEV addedJan 22
Latest updateJan 23
KEV dueFeb 12
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Description
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages3 packages
Patches
🔴Vulnerability Details
3💥Exploits & PoCs
1Nuclei▶
Vite Development Server - Path Traversal