CVE-2025-31486
published 2025-04-03CVE-2025-31486: Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with…
PriorityP352medium5.3CVSS 3.1
AVNACHPRNUIRSUCHINAN
EXPLOIT
EPSS
35.19%
98.2th percentile
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | cbl2_perl_5.34.1-489_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_perl_5.34.1-490_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_perl_5.30.3-3_on_cbl_mariner_1.0 | — | — |
| vitejs | vite | < 4.5.12 | 4.5.12 |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | >= 0 < 4.5.12 | 4.5.12 |
| vitejs | vite | >= 5.0.0 < 5.4.17 | 5.4.17 |
| vitejs | vite | >= 6.0.0 < 6.0.14 | 6.0.14 |
| vitejs | vite | >= 6.1.0 < 6.1.4 | 6.1.4 |
| vitejs | vite | >= 6.2.0 < 6.2.5 | 6.2.5 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
vendor_msrc8.1HIGH
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Vite allows server.fs.deny to be bypassed with .svg or relative paths
ghsa·2025-04-04
CVE-2025-31486 [MEDIUM] CWE-200 Vite allows server.fs.deny to be bypassed with .svg or relative paths
Vite allows server.fs.deny to be bypassed with .svg or relative paths
### Summary
The contents of arbitrary files can be returned to the browser.
### Impact
Only apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.
### Details
#### `.svg`
Requests ending with `.svg` are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding `?.svg` with `?.wasm?init` or with `sec-fetch-dest: script` header, the restriction was able to bypass.
This bypass is only possible if the file is smaller than [`build.assetsInlineLimit`](https://vite.dev/config/build-options.html#build
OSV
Vite allows server.fs.deny to be bypassed with .svg or relative paths
osv·2025-04-04
CVE-2025-31486 [MEDIUM] Vite allows server.fs.deny to be bypassed with .svg or relative paths
Vite allows server.fs.deny to be bypassed with .svg or relative paths
### Summary
The contents of arbitrary files can be returned to the browser.
### Impact
Only apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.
### Details
#### `.svg`
Requests ending with `.svg` are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding `?.svg` with `?.wasm?init` or with `sec-fetch-dest: script` header, the restriction was able to bypass.
This bypass is only possible if the file is smaller than [`build.assetsInlineLimit`](https://vite.dev/config/build-options.html#build
Red Hat
vite: Vite allows server.fs.deny to be bypassed with .svg or relative paths
vendor_redhat·2025-04-03·CVSS 5.3
CVE-2025-31486 [MEDIUM] CWE-200 vite: Vite allows server.fs.deny to be bypassed with .svg or relative paths
vite: Vite allows server.fs.deny to be bypassed with .svg or relative paths
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.
A flaw was discovered in the Vite frontend framework for JavaScript. In affected versions, it is possible for arbitrary files to be returned to the browser via a sp
Microsoft
HTTP::Tiny before 0.083 a Perl core module since 5.13.9 and available standalone on CPAN has an insecure default TLS configuration where users must opt in to verify certificates.
vendor_msrc·2023-04-11·CVSS 8.1
CVE-2023-31486 [HIGH] CWE-295 HTTP::Tiny before 0.083 a Perl core module since 5.13.9 and available standalone on CPAN has an insecure default TLS configuration where users must opt in to verify certificates.
HTTP::Tiny before 0.083 a Perl core module since 5.13.9 and available standalone on CPAN has an insecure default TLS configuration where users must opt in to verify certificates.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Suricata
ET WEB_SPECIFIC_APPS Vite Unauthenticated Arbitrary File Read (CVE-2025-31486)
suricata·2025-04-09·CVSS 5.3
CVE-2025-31486 [MEDIUM] ET WEB_SPECIFIC_APPS Vite Unauthenticated Arbitrary File Read (CVE-2025-31486)
ET WEB_SPECIFIC_APPS Vite Unauthenticated Arbitrary File Read (CVE-2025-31486)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Vite Unauthenticated Arbitrary File Read (CVE-2025-31486)"; flow:established,to_server; http.uri; content:"|3f 2e|svg"; content:"|3f 2e|wasm|3f|init"; fast_pattern; reference:url,github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x; reference:cve,2025-31486; classtype:web-application-attack; sid:2061411; rev:1; metadata:affected_product Vite, attack_target Web_Server, created_at 2025_04_09, cve CVE_2025_31486, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name
Nuclei
Vite server.fs.deny Bypass - Local File Inclusion
nuclei·CVSS 5.3
CVE-2025-31486 [MEDIUM] Vite server.fs.deny Bypass - Local File Inclusion
Vite server.fs.deny Bypass - Local File Inclusion
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest- script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default- 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Template:
id: CVE-2025-31486
info:
name: Vite server.fs.deny Bypass - Local File Inclusion
author: wn147
severity: medium
description: |
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By addi
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4xhttps://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x
2025-04-03
Published