CVE-2025-31125

What is Vite?

Vite (French for "quick") is a next-generation JavaScript build tool and development server created by Evan You, also the creator of Vue.js. It is one of the most widely used frontend tooling solutions in modern web development, providing extremely fast hot module replacement (HMR) and optimized production builds. Vite is the default build tool for Vue 3, SvelteKit, Astro, Remix, and many other frameworks, and is commonly used with React. The Vite dev server is used during development to serve source files directly to the browser with near-instant refresh.

Overview

Vite's development server contains an improper access control vulnerability (CWE-200) that allows unauthenticated remote attackers to read arbitrary files from the server's filesystem outside the configured web root. By appending specific query parameter combinations (?inline&import or ?raw?import) to a request URL, the Vite dev server bypasses its file access restrictions and serves files that should not be publicly accessible.

This vulnerability only affects applications where the Vite dev server is exposed to the network — i.e., started with the --host flag or server.host configuration option set to something other than localhost. Production builds using Vite do not use the dev server and are not affected.

Affected Versions

Vite versions below 4.x (EOL) are also affected but no fix was issued; upgrade to a supported version.

Technical Details

Vite's dev server maps request URLs to files within the configured project root. Certain special query parameters instruct Vite to handle a request differently:

• ?inline — causes Vite to inline the file content (e.g., for CSS, assets)
• ?raw — causes Vite to return the raw content of a file as a string
• ?import — signals that the request is a module import

The vulnerability arises when these parameters are combined in specific ways (?inline&import, ?raw?import). Vite's access control logic — which normally restricts file serving to paths within the project root and permitted directories — was not applied consistently when processing these combined query parameters. An attacker could craft requests such as:

http://localhost:5173/../../../etc/passwd?raw?import

to read files outside the project root, including environment files (.env), private keys, configuration files, and any other files accessible to the Vite process.

Attack characteristics:

• Network access required: The Vite dev server must be exposed on a network interface beyond 127.0.0.1
• No authentication: No credentials required to exploit
• User interaction: The CVSS score includes UI:R, reflecting that a user must be running the Vite dev server at the time; no victim browser interaction is required for the file read itself
• Single request: File reads can be achieved with a single crafted HTTP GET request

Common exposure scenarios:

• CI/CD pipelines running vite --host for integration testing accessible from other pipeline services
• Docker development containers with Vite bound to 0.0.0.0 and ports exposed to the host network
• Staging environments using Vite dev server instead of a production build
• Developer machines where Vite is accessible from a corporate LAN

Discovery

Reported to the Vite security team and disclosed on March 31, 2025 via GitHub Security Advisories. CISA added the vulnerability to the KEV catalog in January 2026 — approximately 10 months after the fix was released — confirming that exploitation was occurring against unpatched deployments.

Exploitation Context

Although the Vite dev server should only be exposed to the network in development and staging environments, in practice many CI/CD pipelines and containerized development environments run Vite with --host and expose it to broader networks. The CISA KEV addition in January 2026 (nearly a year after the fix) indicates continued exploitation of unpatched instances.

Sensitive files commonly accessible via this vulnerability include:

• .env and .env.local files containing API keys, database passwords, and cloud credentials
• ~/.ssh/id_rsa and other private keys accessible to the process
• Application configuration files with database connection strings
• Source code outside the web root

Remediation

1. Upgrade Vite — update to 4.5.10, 5.4.17, 6.0.13, 6.1.3, or 6.2.4 or later depending on your version branch.
2. Do not expose the Vite dev server to untrusted networks — if --host or server.host is required, restrict access via firewall rules or a reverse proxy with authentication.
3. Use production builds in staging — run vite build rather than vite --host in staging environments; use a static file server (nginx, Caddy) to serve the output.
4. Audit running dev servers — inventory all environments where Vite is running with --host and verify they are patched.
5. Check for .env exposure — if a vulnerable instance was internet-accessible, rotate all secrets stored in .env files and audit for unauthorized API usage.