AI description
CVE-2025-31125 is an arbitrary file read vulnerability that affects Vite, a frontend tooling framework for JavaScript. The vulnerability exists because Vite exposes the content of non-allowed files when using `?inline&import` or `?raw?import`. Exploitation is possible if the Vite development server is exposed to the network using the `--host` or `server.host` configuration options. An unauthenticated attacker can exploit this vulnerability by crafting malicious HTTP requests to read arbitrary files on the server, potentially leading to sensitive information leakage. Users can mitigate this vulnerability by updating to versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, or 4.5.11. If upgrading is not immediately feasible, restricting access to the Vite development server can provide temporary relief.
- Description
- Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 5.3
- Impact score
- 3.6
- Exploitability score
- 1.6
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
- Severity
- MEDIUM
- security-advisories@github.com
- CWE-200
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
12
🚨 #CVE-2025-31125: Vitejs Vulnerability Analysis https://t.co/6E2aSdw5kI Educational Purposes!
@UndercodeUpdate
5 May 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Vite.js has 72k stars on GitHub ⭐ CVE-2025-31125 Severity: High PoC Video: https://t.co/XKF12w8eq5 GitHub PoC: https://t.co/SNo2X1iXaA #Vitejs #CVE2025 #BugBounty 🛡️ https://t.co/yXHXc989Z7
@wgujjer11
3 May 2025
3936 Impressions
24 Retweets
94 Likes
47 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-31125 - medium 🚨 Vite Development Server - Path Traversal > Path traversal vulnerability in Vite development server's @fs endpoint allows attacke... 👾 https://t.co/xA37HBgCE6 @pdnuclei #NucleiTemplates #cve
@pdnuclei_bot
9 Apr 2025
129 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Nuclei CVE-2025-31125 POC GET /etc/passwd?import&?inline=1.wasm?init GET /C://windows/win.ini?import&?inline=1.wasm?init fofa-query: body="/@vite/client" https://t.co/0BkUKm8B2s
@kala14254511439
1 Apr 2025
88 Impressions
0 Retweets
2 Likes
3 Bookmarks
0 Replies
0 Quotes
#CVE-2025-31125 Vite New Bypass Reproduced on 6.2.1 https://t.co/3TpIJLLY9c https://t.co/PrPbgMb00I
@_r00tuser
1 Apr 2025
77 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-31125 the new bypass of vite file read https://t.co/g12bQj23I0
@sirifu4k1
1 Apr 2025
447 Impressions
2 Retweets
4 Likes
5 Bookmarks
0 Replies
0 Quotes
CVE-2025-31125 Information Disclosure Vulnerability in Vite JavaScript Framework Affecting Network-Exposed Servers https://t.co/6ZxYDy1hKh
@VulmonFeeds
31 Mar 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-31125 Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the … https://t.co/VxjCQGC5wz
@CVEnew
31 Mar 2025
248 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes