Cyber Resilience

CVE-2025-31125

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 31 March 2025

Published
31 March 2025
Modified
23 January 2026
KEV Added
22 January 2026
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.8324 99.3th percentile
Risk Priority 81 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31125 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Vitejs Vite. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-7 (Boundary Protection).

Deeper analysis

Vite, a frontend tooling framework for JavaScript, contains an information disclosure vulnerability that allows the contents of files outside an allowed set to be read when the query parameters ?inline&import or ?raw?import are supplied to the development server. The flaw affects only deployments that explicitly expose the Vite dev server to the network via the --host flag or the server.host configuration option and is tracked under CWE-200 and CWE-284.

An unauthenticated remote attacker who can reach an exposed Vite development server can leverage the parameters to retrieve sensitive file contents, resulting in high-impact confidentiality loss. Exploitation requires user interaction and presents high attack complexity according to the CVSS 5.3 rating, limiting the practical attack surface to misconfigured developer or test environments.

The official GitHub security advisories and accompanying commit indicate that the issue is resolved in Vite versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11; administrators should upgrade affected instances and avoid exposing the development server to untrusted networks.

The CVE appears in the CISA Known Exploited Vulnerabilities catalog, and its EPSS score has remained elevated near 0.83–0.84, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is…

more

fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

CWE(s)
KEV Date Added
22 January 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability enables direct retrieval of arbitrary local file contents (sensitive data) from the system via the exposed Vite dev server, mapping to T1005; when the dev server is network-exposed via --host, exploitation of this public-facing application for unauthorized data access maps to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-30208Same product: Vitejs Vite
CVE-2026-39364Same product: Vitejs Vite
CVE-2026-39363Same product: Vitejs Vite
CVE-2026-35616Shared CWE-284both on KEV
CVE-2026-5571Shared CWE-200, CWE-284
CVE-2025-24989Shared CWE-284both on KEV
CVE-2025-12480Shared CWE-284both on KEV
CVE-2026-20133Shared CWE-200both on KEV
CVE-2026-32938Shared CWE-200, CWE-284
CVE-2026-2055Shared CWE-200, CWE-284

Affected Assets

vitejs
vite
≤ 4.5.11 · 5.0.0 — 5.4.16 · 6.0.0 — 6.0.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely patching of affected Vite versions to prevent exposure of non-allowed files via query parameters.

prevent

Ensures secure configuration of Vite dev server by prohibiting network exposure options like --host or server.host, eliminating the condition required for exploitation.

prevent

Enforces boundary protections to block unauthorized network access to exposed Vite dev server ports, preventing remote attackers from reaching the vulnerable endpoint.

References