cbcvebase.
CVE-2025-31486
published 2025-04-03

CVE-2025-31486: Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with…

PriorityP352medium5.3CVSS 3.1
AVNACHPRNUIRSUCHINAN
EXPLOIT
EPSS
35.19%
98.2th percentile
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.

Affected

17 ranges
VendorProductVersion rangeFixed in
msrccbl2_perl_5.34.1-489_on_cbl_mariner_2.0
msrccbl2_perl_5.34.1-490_on_cbl_mariner_2.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_perl_5.30.3-3_on_cbl_mariner_1.0
vitejsvite< 4.5.124.5.12
vitejsvite
vitejsvite
vitejsvite
vitejsvite
vitejsvite>= 0 < 4.5.124.5.12
vitejsvite>= 5.0.0 < 5.4.175.4.17
vitejsvite>= 6.0.0 < 6.0.146.0.14
vitejsvite>= 6.1.0 < 6.1.46.1.4
vitejsvite>= 6.2.0 < 6.2.56.2.5

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
vendor_msrc8.1HIGH
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.