CVE-2025-31125

MediumCISA KEVActive ExploitationPublic PoC

Published: 31 March 2025

Published

31 March 2025

Modified

23 January 2026

KEV Added

22 January 2026

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS Score 0.8426 99.3th percentile

Risk Priority 81 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31125 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Vitejs Vite. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely patching of affected Vite versions to prevent exposure of non-allowed files via query parameters.

CM-6 Configuration Settings good match

prevent

Ensures secure configuration of Vite dev server by prohibiting network exposure options like --host or server.host, eliminating the condition required for exploitation.

SC-7 Boundary Protection good match

prevent

Enforces boundary protections to block unauthorized network access to exposed Vite dev server ports, preventing remote attackers from reaching the vulnerable endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Vulnerability enables direct retrieval of arbitrary local file contents (sensitive data) from the system via the exposed Vite dev server, mapping to T1005; when the dev server is network-exposed via --host, exploitation of this public-facing application for unauthorized data access maps to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is…

fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

Deeper analysisAI

CVE-2025-31125 is a vulnerability in Vite, a frontend tooling framework for JavaScript, that exposes the content of non-allowed files via the ?inline?import or ?raw?import query parameters when interacting with the Vite development server. Only applications explicitly exposing the Vite dev server to the network—through the --host command-line option or the server.host configuration—are affected. The issue carries a CVSS v3.1 base score of 5.3 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) and maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-284 (Improper Access Control).

A remote attacker with network access to the exposed dev server can exploit this by tricking a user—such as a developer—into loading a crafted URL containing the vulnerable query parameters. Exploitation requires user interaction but no privileges, allowing the attacker to retrieve sensitive file contents from the server, resulting in high confidentiality impact without compromising integrity or availability.

Vite has patched the vulnerability in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11. The official GitHub security advisory (GHSA-4r4m-qw57-chr8) and the fixing commit (59673137c45ac2bcfad1170d954347c1a17ab949) provide full details on the changes.

This CVE appears in the CISA Known Exploited Vulnerabilities Catalog, signaling real-world exploitation activity.

Details

CWE(s): CWE-200 CWE-284 NVD-CWE-noinfo
KEV Date Added: 22 January 2026

Affected Products

vitejs

vite

≤ 4.5.11 · 5.0.0 — 5.4.16 · 6.0.0 — 6.0.13

CVEs Like This One

CVE-2025-30208Same product: Vitejs Vite

CVE-2026-39363Same product: Vitejs Vite

CVE-2026-39364Same product: Vitejs Vite

CVE-2026-5571Shared CWE-200, CWE-284

CVE-2026-35616Shared CWE-284both on KEV

CVE-2025-12480Shared CWE-284both on KEV

CVE-2025-24989Shared CWE-284both on KEV

CVE-2026-20133Shared CWE-200both on KEV

CVE-2026-32938Shared CWE-200, CWE-284

CVE-2024-55019Shared CWE-284

References

https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949
Patch · security-advisories@github.com
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31125
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0