CVE-2025-31125
Published: 31 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-31125 is a vulnerability in Vite, a frontend tooling framework for JavaScript, that exposes the content of non-allowed files via the ?inline?import or ?raw?import query parameters when interacting with the Vite development server. Only applications explicitly exposing the Vite dev server to the network—through the --host command-line option or the server.host configuration—are affected. The issue carries a CVSS v3.1 base score of 5.3 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) and maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-284 (Improper Access Control).
A remote attacker with network access to the exposed dev server can exploit this by tricking a user—such as a developer—into loading a crafted URL containing the vulnerable query parameters. Exploitation requires user interaction but no privileges, allowing the attacker to retrieve sensitive file contents from the server, resulting in high confidentiality impact without compromising integrity or availability.
Vite has patched the vulnerability in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11. The official GitHub security advisory (GHSA-4r4m-qw57-chr8) and the fixing commit (59673137c45ac2bcfad1170d954347c1a17ab949) provide full details on the changes.
This CVE appears in the CISA Known Exploited Vulnerabilities Catalog, signaling real-world exploitation activity.
Details
- CWE(s)
- KEV Date Added
- 22 January 2026
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability enables direct retrieval of arbitrary local file contents (sensitive data) from the system via the exposed Vite dev server, mapping to T1005; when the dev server is network-exposed via --host, exploitation of this public-facing application for unauthorized data access maps to T1190.