Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 24 Sep 2025 15:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.08564}

epss

{'score': 0.08688}


Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.10806}

epss

{'score': 0.08564}


Wed, 02 Apr 2025 14:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 31 Mar 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 31 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Description Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Title Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
Weaknesses CWE-200
CWE-284
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-03-31T17:59:26.675Z

Reserved: 2025-03-26T15:04:52.626Z

Link: CVE-2025-31125

cve-icon Vulnrichment

Updated: 2025-03-31T17:58:49.260Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-31T17:15:43.163

Modified: 2025-09-24T15:45:00.070

Link: CVE-2025-31125

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-03-31T17:06:30Z

Links: CVE-2025-31125 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-07-12T15:26:03Z