CVE-2025-31125
- EPSS 62.1%
- Veröffentlicht 31.03.2025 17:15:43
- Zuletzt bearbeitet 23.01.2026 18:39:55
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Login22.01.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog
Vite Vitejs Improper Access Control Vulnerability
SchwachstelleVite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
BeschreibungApply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 62.1% | 0.991 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| security-advisories@github.com | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
|
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.