Arbitrary File Disclosure Vulnerability in Vite Frontend Framework
CVE-2025-31486

5.3MEDIUM

Key Information:

Vendor: Vitejs
Status: Vite
Vendor: CVE Published:; 3 April 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-31486?

CVE-2025-31486 is a vulnerability found in the Vite frontend framework, a widely used tool for developing JavaScript applications. This vulnerability enables an attacker to exploit the framework to disclose the contents of arbitrary files to the browser, potentially compromising sensitive data and system integrity. The risk arises primarily when applications expose the Vite development server to the network, making them susceptible to these attacks. Organizations relying on Vite for their frontend development need to be particularly vigilant, as the implications of this vulnerability could lead to unauthorized access and exploitation of confidential information.

Technical Details

The vulnerability is characterized by the ability to bypass the server's file access restrictions, specifically the server.fs.deny settings. This is accomplished by manipulating file requests to include specific query parameters, such as ?.svg in conjunction with other settings. A critical condition is that the files being accessed must be smaller than the build.assetsInlineLimit, which defaults to 4KB. This issue affects versions 6.0 and above of Vite and can primarily be exploited if the development server is configured to be accessible over the network.

Potential Impact of CVE-2025-31486

Data Exposure: The most immediate risk is the potential disclosure of sensitive files stored within the application, which could include configuration files, source code, or any other confidential data. This could lead to data breaches or leaks.
Unauthorized Access: An exploited vulnerability may allow malicious actors to gain unauthorized access to crucial application components or underlying infrastructure, leading to broader system compromises.
Reputational Damage: Organizations affected by data leaks or system compromises due to this vulnerability risk significant reputational harm, which could affect customer trust, business partnerships, and overall market position.

Affected Version(s)

vite < 4.5.12 < 4.5.12

vite >=5.0.0, < 5.4.17 < 5.0.0, 5.4.17

vite >=6.0.0, < 6.0.14 < 6.0.0, 6.0.14

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-31486-PoC
Created by iSee857