CVE-2025-31125
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
In short
Vite's file access restrictions can be bypassed using special query parameters (?inline&import or ?raw?import), allowing attackers to read files that should be protected. This only affects development servers intentionally exposed to the network.
Technical detail
A path traversal vulnerability in Vite's dev server bypasses server.fs.deny restrictions when ?inline&import or ?raw?import query parameters are appended to file requests. The attack requires network access to the exposed dev server and can result in unauthorized disclosure of sensitive files outside the intended accessible directory.
Summary generated and translated by AI from the official description.
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Affected products
vitejs · vitepublic PoCs found — 4
githubgithub.com/sunhuiHi666/CVE-2025-31125★ 6githubgithub.com/MuhammadWaseem29/Vitejs-exploit★ 0githubgithub.com/0xgh057r3c0n/CVE-2025-31125★ 0githubgithub.com/harshgupptaa/Path-Transversal-CVE-2025-31125-★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →