PT-2025-38576 · Cloudflare · Cloudflared+2
Cherry
·
Published
2025-07-08
·
Updated
2025-09-19
·
CVE-2025-59427
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P |
Name of the Vulnerable Software and Affected Versions
Cloudflare Vite plugin versions prior to 1.6.0
Description
The Cloudflare Vite plugin, when used with its default configuration, exposes files from the root directory via the local development server. This includes sensitive files such as
.env and .dev.vars which may contain secret information. If the development server is exposed on a public network, an attacker may be able to acquire these secrets. This can occur when using tools like wrangler or cloudflared without proper configuration. Exposed files may also include package.json and README.md, potentially revealing dependencies and internal documentation.Recommendations
Cloudflare Vite plugin versions prior to 1.6.0 should be updated to version 1.6.0 or later.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Cloudflare/Vite-Plugin
Cloudflared
Wrangler