CVE-2025-31486

Name of the Vulnerable Software and Affected Versions Vite versions 6.0.0 through 6.0.13 Vite versions 6.1.0 through 6.1.3 Vite versions 6.2.0 through 6.2.4 Vite version 4.5.11 and earlier Vite version 5.4.16 and earlier

Description The issue allows the contents of arbitrary files to be returned to the browser. This can be achieved by adding ?.svg with ?.wasm?init or by including a sec-fetch-dest: script header, which bypasses the server.fs.deny restriction. The bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only applications that explicitly expose the Vite dev server to the network are affected.

Recommendations For Vite versions 6.0.0 through 6.0.13, update to version 6.0.14 or later. For Vite versions 6.1.0 through 6.1.3, update to version 6.1.4 or later. For Vite versions 6.2.0 through 6.2.4, update to version 6.2.5 or later. For Vite version 4.5.11 and earlier, update to version 4.5.12 or later. For Vite version 5.4.16 and earlier, update to version 5.4.17 or later. As a temporary workaround, consider restricting access to the Vite dev server to minimize the risk of exploitation.