CVE-2025-31125

Name of the Vulnerable Software and Affected Versions Vite versions 4.5.11, 5.4.16, 6.0.13, 6.1.3, and 6.2.4

Description Vite, a frontend tooling framework for JavaScript, has an issue where it exposes the content of non-allowed files through the use of the ?inline&import or ?raw?import query parameters. This occurs only when the Vite development server is explicitly exposed to the network, either through the --host command-line option or the server.host configuration setting. The vulnerability allows attackers to potentially read arbitrary files, with the content being base64 encoded. The issue does not require the use of the /@fs/ path for files within the project root. Proof-of-concept exploits involve crafting URLs with the specific query parameters to request file content.

Recommendations Update to Vite version 6.2.4. Update to Vite version 6.1.3. Update to Vite version 6.0.13. Update to Vite version 5.4.16. Update to Vite version 4.5.11.