Home

Description

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

PUBLISHED Reserved 2025-03-26 | Published 2025-03-31 | Updated 2026-01-22 | Assigner GitHub_M




MEDIUM: 5.3CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA Known Exploited Vulnerability

Date added 2026-01-22 | Due date 2026-02-12

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-284: Improper Access Control

Product status

>= 6.2.0, < 6.2.4
affected

>= 6.1.0, < 6.1.3
affected

>= 6.0.0, < 6.0.13
affected

>= 5.0.0, < 5.4.16
affected

< 4.5.11
affected

References

github.com/...s/vite/security/advisories/GHSA-4r4m-qw57-chr8 exploit

www.cisa.gov/...erabilities-catalog?field_cve=CVE-2025-31125 government-resource

github.com/...s/vite/security/advisories/GHSA-4r4m-qw57-chr8

github.com/...ommit/59673137c45ac2bcfad1170d954347c1a17ab949

cve.org (CVE-2025-31125)

nvd.nist.gov (CVE-2025-31125)

Download JSON