Login Sign Up

CVE-2025-31125

5.3 MEDIUM CISA KEV

📋 TL;DR

Vite development servers configured to expose content to the network can leak sensitive file contents through specific query parameters (?inline&import or ?raw?import). Only applications explicitly exposing the Vite dev server using --host or server.host configuration are affected by this information disclosure vulnerability.

💻 Affected Systems

Products:
  • Vite
Versions: All versions before 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when Vite dev server is explicitly exposed to network using --host flag or server.host configuration option.

📦 What is this software?

Vite by Vitejs

View all CVEs affecting Vite →

Vite by Vitejs

View all CVEs affecting Vite →

Vite by Vitejs

View all CVEs affecting Vite →

Vite by Vitejs

View all CVEs affecting Vite →

Vite by Vitejs

View all CVEs affecting Vite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive configuration files, source code, or credentials stored in the project directory, potentially leading to further compromise.

🟠

Likely Case

Unauthorized access to application source code, configuration files, or other project assets that should remain private.

🟢

If Mitigated

No impact if Vite dev server is not exposed to untrusted networks or if proper network segmentation is in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to exposed Vite dev server and knowledge of file paths.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.2.4, 6.1.3, 6.0.13, 5.4.16, or 4.5.11

Vendor Advisory: https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8

Restart Required: Yes

Instructions:

1. Check current Vite version: npm list vite. 2. Update to patched version: npm update vite@latest or specify exact version. 3. Restart Vite dev server.

🔧 Temporary Workarounds

Disable network exposure

all

Remove --host flag or server.host configuration to prevent Vite dev server from being accessible on network

Remove '--host' from dev script in package.json
Remove or comment 'server.host' in vite.config.js

Network segmentation

linux

Restrict access to Vite dev server port using firewall rules

sudo ufw deny 5173/tcp
iptables -A INPUT -p tcp --dport 5173 -j DROP

🧯 If You Can't Patch

  • Ensure Vite dev server is not exposed to untrusted networks (remove --host/server.host)
  • Implement strict network access controls and firewall rules for Vite dev server port

🔍 How to Verify

Check if Vulnerable:

Check if Vite dev server is running with --host flag or server.host configuration, and version is below patched versions

Check Version:

npm list vite | grep vite

Verify Fix Applied:

Confirm Vite version is 6.2.4, 6.1.3, 6.0.13, 5.4.16, or 4.5.11 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual requests to Vite dev server with ?inline&import or ?raw?import parameters
  • Access to non-standard file paths

Network Indicators:

  • HTTP requests to Vite dev server port (typically 5173) with suspicious query parameters

SIEM Query:

source_port:5173 AND (url_query:*inline* OR url_query:*raw*)

📊 Metadata

CVE ID: CVE-2025-31125
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-200
EPSS Score: 65.97% exploit probability (98.5th percentile)
CISA KEV: Actively Exploited added Jan 22, 2026
Published: March 31, 2025
Last Updated: January 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-31125, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)