CVE-2025-31125
Arbitrary File Read vulnerability in vite (npm)
What is CVE-2025-31125 About?
This Arbitrary File Read vulnerability allows an attacker to read arbitrary files from the server, even those outside the intended project root, under specific conditions. It severely impacts data confidentiality, potentially exposing sensitive information. Exploitation is relatively easy for an attacker with network access to the vulnerable dev server, using specially crafted URL parameters.
Affected Software
- vite
- >6.1.0, <6.1.3
- >6.2.0, <6.2.4
- <4.5.11
- >6.0.0, <6.0.13
- >5.0.0, <5.4.16
Technical Details
The vulnerability allows for arbitrary file reading by leveraging specific URL parameters (?inline&import or ?raw?import) when combined with filesystem path traversal. The issue occurs when the Vite dev server is explicitly exposed to the network. Although /fs/ is not always needed for files within the project root, a crafted URL like /C:/windows/win.ini?import&?inline=1.wasm?init can bypass Vite's security checks. This allows the server to process requests that include directory traversal sequences (e.g., ../../) or direct absolute paths, resulting in the base64-encoded or raw contents of non-allowed files being returned to the browser. The specific parameters (?inline&import, ?raw?import) likely alter how Vite processes the file request, turning it into a mechanism for content disclosure without proper validation of the requested path or file type.
What is the Impact of CVE-2025-31125?
Successful exploitation may allow attackers to disclose sensitive information from arbitrary files on the system, leading to data breaches or further system compromise.
What is the Exploitability of CVE-2025-31125?
Exploitation of this vulnerability is of moderate complexity, requiring specific environmental conditions and a specially crafted request. Prerequisites include the Vite dev server being explicitly exposed to the network (via --host or server.host configuration). Authentication is not required for exploitation, and the attack can be performed remotely. Privilege requirements are low, as the vulnerability is in how the server handles file requests. The special conditions involve crafting the URL with specific query parameters like ?inline&import or ?raw?import to trigger the file content disclosure. The primary risk factor increasing exploitation likelihood is an exposed dev server, as an attacker with network access can directly send the malicious request to bypass file system access controls.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| sunhuiHi666 | Link | Vite 任意文件读取漏洞POC |
| MuhammadWaseem29 | Link | Vite Development Server's @fs endpoint (CVE-2025-31125) to access sensitive files like /etc/passwd and /etc/hosts via crafted URLs. |
| nak000 | Link | PoC for CVE-2025-31125 |
What are the Available Fixes for CVE-2025-31125?
Available Upgrade Options
- vite
- <4.5.11 → Upgrade to 4.5.11
- vite
- >5.0.0, <5.4.16 → Upgrade to 5.4.16
- vite
- >6.0.0, <6.0.13 → Upgrade to 6.0.13
- vite
- >6.1.0, <6.1.3 → Upgrade to 6.1.3
- vite
- >6.2.0, <6.2.4 → Upgrade to 6.2.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2025-31125
- https://osv.dev/vulnerability/GHSA-4r4m-qw57-chr8
- https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949
- https://github.com/vitejs/vite
- https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8
- https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8
- https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949
What are Similar Vulnerabilities to CVE-2025-31125?
Similar Vulnerabilities: CVE-2021-38299 , CVE-2021-31627 , CVE-2020-13936 , CVE-2022-24756 , CVE-2024-34005
