Vulnerability Description
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vitejs | Vite | < 4.5.11 |
Related Weaknesses (CWE)
References
- https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949Patch
- https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8ExploitVendor Advisory
- https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8ExploitVendor Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-US Government Resource
FAQ
What is CVE-2025-31125?
CVE-2025-31125 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (us...
How severe is CVE-2025-31125?
CVE-2025-31125 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-31125?
Check the references section above for vendor advisories and patch information. Affected products include: Vitejs Vite.