Back to KEVs

CVE-2025-31125

Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Basic Information

CVE State
PUBLISHED
Reserved Date
March 26, 2025
Published Date
March 31, 2025
Last Updated
January 23, 2026
Vendor
vitejs
Product
vite
Description
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Tags
cisa nuclei_scanner

CVSS Scores

CVSS v3.1

5.3 - MEDIUM

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-06-01 13:30:36 UTC) Source
Proof of Concept Available
Yes (added 2025-04-01 14:24:44 UTC) Source

References

https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8 https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 10:49:32 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-31125.yaml 2025-04-25 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

sunhuiHi666/CVE-2025-31125

Type: github • Created: 2025-04-01 14:24:44 UTC • Stars: 5

Vite 任意文件读取漏洞POC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Detected by Nuclei

  • Added to KEVIntel