Home

Description

The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as .env and .dev.vars. This vulnerability is fixed in 1.6.0.

PUBLISHED Reserved 2025-09-15 | Published 2025-09-19 | Updated 2025-09-19 | Assigner GitHub_M




LOW: 2.9CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

< 1.6.0
affected

References

github.com/...rs-sdk/security/advisories/GHSA-4pfg-2mw5-f8jx

github.com/...ommit/0e500720bf70016fa4ea21fc8959c4bd764ebc38

hackerone.com/reports/3117837

github.com/cloudflare/workers-sdk/discussions/3455

cve.org (CVE-2025-59427)

nvd.nist.gov (CVE-2025-59427)

Download JSON