Vulnerability Description
The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as .env and .dev.vars. This vulnerability is fixed in 1.6.0.
Related Weaknesses (CWE)
References
- https://github.com/cloudflare/workers-sdk/commit/0e500720bf70016fa4ea21fc8959c4b
- https://github.com/cloudflare/workers-sdk/discussions/3455#discussioncomment-616
- https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-4pfg-2mw5-f8j
- https://hackerone.com/reports/3117837
FAQ
What is CVE-2025-59427?
CVE-2025-59427 is a documented vulnerability. The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by th...
How severe is CVE-2025-59427?
CVSS scoring is not yet available for CVE-2025-59427. Check NVD for updates.
Is there a patch for CVE-2025-59427?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.