{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-31125", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-26T15:04:52.626Z", "datePublished": "2025-03-31T17:06:30.704Z", "dateUpdated": "2025-03-31T17:59:26.675Z"}, "containers": {"cna": {"title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8"}, {"name": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949"}], "affected": [{"vendor": "vitejs", "product": "vite", "versions": [{"version": ">= 6.2.0, < 6.2.4", "status": "affected"}, {"version": ">= 6.1.0, < 6.1.3", "status": "affected"}, {"version": ">= 6.0.0, < 6.0.13", "status": "affected"}, {"version": ">= 5.0.0, < 5.4.16", "status": "affected"}, {"version": "< 4.5.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-31T17:31:51.583Z"}, "descriptions": [{"lang": "en", "value": "Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11."}], "source": {"advisory": "GHSA-4r4m-qw57-chr8", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-31T17:59:19.450898Z", "id": "CVE-2025-31125", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T17:59:26.675Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-31125", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-31T17:59:19.450898Z"}}}], "references": [{"url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T17:58:49.260Z"}}], "cna": {"title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query", "source": {"advisory": "GHSA-4r4m-qw57-chr8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "vitejs", "product": "vite", "versions": [{"status": "affected", "version": ">= 6.2.0, < 6.2.4"}, {"status": "affected", "version": ">= 6.1.0, < 6.1.3"}, {"status": "affected", "version": ">= 6.0.0, < 6.0.13"}, {"status": "affected", "version": ">= 5.0.0, < 5.4.16"}, {"status": "affected", "version": "< 4.5.11"}]}], "references": [{"url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8", "name": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949", "name": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-31T17:31:51.583Z"}}}, "cveMetadata": {"cveId": "CVE-2025-31125", "state": "PUBLISHED", "dateUpdated": "2025-03-31T17:59:26.675Z", "dateReserved": "2025-03-26T15:04:52.626Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-03-31T17:06:30.704Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7A30C04F-CD9B-4205-BC89-9C9FE6C4B8D4", "versionEndExcluding": "4.5.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B4B2C2B8-B924-4101-922A-F7164B58F683", "versionEndExcluding": "5.4.16", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "4E94BAC6-64A0-4514-85EA-E307E267D688", "versionEndExcluding": "6.0.13", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7E8A7AC3-D23F-44DA-B505-59CE155792DB", "versionEndExcluding": "6.1.3", "versionStartIncluding": "6.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B3710ACF-96C0-4931-A5A1-7810D116AADE", "versionEndExcluding": "6.2.4", "versionStartIncluding": "6.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11."}, {"lang": "es", "value": "Vite es un framework de herramientas frontend para JavaScript. Vite expone el contenido de archivos no permitidos mediante ?inline&amp;import o ?raw?import. Solo las aplicaciones que exponen expl\u00edcitamente el servidor de desarrollo de Vite a la red (mediante la opci\u00f3n de configuraci\u00f3n --host o server.host) se ven afectadas. Esta vulnerabilidad est\u00e1 corregida en las versiones 6.2.4, 6.1.3, 6.0.13, 5.4.16 y 4.5.11."}], "id": "CVE-2025-31125", "lastModified": "2025-09-24T15:45:00.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-31T17:15:43.163", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "vite: Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query", "id": "2356283", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2356283"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "(CWE-200|CWE-284)", "details": ["Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.", "A flaw was found in the Vite Node.js package. Vite exposes content of non-allowed files using `?inline&import` or `?raw?import`. Only apps explicitly exposing the Vite dev server to the network (using the `--host` or `server.host` config options) are affected."], "name": "CVE-2025-31125", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-eda-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-gateway", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-gateway-opa-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-gateway-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-rhel8-operator", "product_name": "Red Hat OpenShift distributed tracing 3"}], "public_date": "2025-03-31T17:06:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-31125\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-31125\nhttps://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949\nhttps://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8"], "threat_severity": "Moderate"}

{"created": "2025-07-12T15:26:03.787973+00:00", "updated": "2025-07-12T15:26:03.788018+00:00", "vendors": ["vitejs", "vitejs$PRODUCT$vite"]}