File Access Vulnerability in Vite Frontend Tooling Framework
CVE-2025-32395

6MEDIUM

Key Information:

Vendor: Vitejs
Status: Vite
Vendor: CVE Published:; 10 April 2025

Badges

📈 Score: 318👾 Exploit Exists🟡 Public PoC

What is CVE-2025-32395?

CVE-2025-32395 is a vulnerability found in the Vite frontend tooling framework used primarily for JavaScript development. Vite streamlines the build and development processes for web applications by providing efficient tooling and fast performance. This specific vulnerability could potentially allow malicious actors to access the contents of arbitrary files from the server when the development server is running on certain environments, such as Node or Bun, leading to a significant security risk for organizations that expose their Vite development server to the network.

Technical Details

The vulnerability arises when the Vite development server is configured to accept requests with an invalid request-target, specifically those containing the '#' character in the URL. According to the HTTP 1.1 specification, such requests should be rejected, but the Vite server does not properly handle these cases. Instead, it allows these requests to bypass file path validations, exposing the server to unauthorized access to its file systems. The issue is present in multiple versions of Vite prior to the secure releases, which include versions 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13.

Potential Impact of CVE-2025-32395

Unauthorized File Access: Attackers may exploit the vulnerability to access sensitive files stored on the server, which could lead to unauthorized disclosure of confidential information.
Increased Attack Surface: Any applications deliberately exposing the Vite development server to the network are particularly at risk, increasing the likelihood of compromise and potential cascading effects on other systems connected to the same network.
Development Environment Vulnerabilities: Since the vulnerability primarily affects development setups, it poses a risk to ongoing development work, potentially allowing attackers to infect the build process and introduce malware into production applications inadvertently.

Affected Version(s)

vite >= 6.2.0, < 6.2.6 < 6.2.0, 6.2.6

vite >= 6.1.0, < 6.1.5 < 6.1.0, 6.1.5

vite >= 6.0.0, < 6.0.15 < 6.0.0, 6.0.15

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-32395
Created by ruiwenya

References

https://github.com/vitejs/vite/security/advisories/GHSA-3...

x_refsource_CONFIRM

https://github.com/vitejs/vite/commit/175a83909f02d3b5544...

x_refsource_MISC

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

🟡
Public PoC available
Apr 18, 2025
👾
Exploit known to exist
Apr 18, 2025
Vulnerability published
Apr 10, 2025
Vulnerability Reserved
Apr 6, 2025