CVE-2025-31125
Published: 31 March 2025
Summary
CVE-2025-31125 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Vitejs Vite. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-7 (Boundary Protection).
Deeper analysis
Vite, a frontend tooling framework for JavaScript, contains an information disclosure vulnerability that allows the contents of files outside an allowed set to be read when the query parameters ?inline&import or ?raw?import are supplied to the development server. The flaw affects only deployments that explicitly expose the Vite dev server to the network via the --host flag or the server.host configuration option and is tracked under CWE-200 and CWE-284.
An unauthenticated remote attacker who can reach an exposed Vite development server can leverage the parameters to retrieve sensitive file contents, resulting in high-impact confidentiality loss. Exploitation requires user interaction and presents high attack complexity according to the CVSS 5.3 rating, limiting the practical attack surface to misconfigured developer or test environments.
The official GitHub security advisories and accompanying commit indicate that the issue is resolved in Vite versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11; administrators should upgrade affected instances and avoid exposing the development server to untrusted networks.
The CVE appears in the CISA Known Exploited Vulnerabilities catalog, and its EPSS score has remained elevated near 0.83–0.84, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8866
Vulnerability details
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is…
more
fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
- CWE(s)
- KEV Date Added
- 22 January 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables direct retrieval of arbitrary local file contents (sensitive data) from the system via the exposed Vite dev server, mapping to T1005; when the dev server is network-exposed via --host, exploitation of this public-facing application for unauthorized data access maps to T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely patching of affected Vite versions to prevent exposure of non-allowed files via query parameters.
Ensures secure configuration of Vite dev server by prohibiting network exposure options like --host or server.host, eliminating the condition required for exploitation.
Enforces boundary protections to block unauthorized network access to exposed Vite dev server ports, preventing remote attackers from reaching the vulnerable endpoint.