Vite Plugin Vulnerability Exposes Sensitive Files in Cloudflare Integration
CVE-2025-59427

2.9LOW

Key Information:

Vendor

Cloudflare

Status
Workers-sdk
Vendor
CVE Published:
19 September 2025

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2025-59427?

The Cloudflare Vite plugin, designed to integrate Vite with Workers runtime, poses a serious risk when left in default settings. It unintentionally exposes all files served by the local development server, including critical files in the root directory like .env and .dev.vars. Such exposure can lead to serious security breaches by revealing sensitive information to unauthorized users. It is crucial to upgrade to version 1.6.0 or later to mitigate this risk effectively.

Affected Version(s)

workers-sdk < 1.6.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-59427
Created by ibnurusdianto

References

https://github.com/cloudflare/workers-sdk/security/adviso...
x_refsource_CONFIRM
https://github.com/cloudflare/workers-sdk/commit/0e500720...
x_refsource_MISC
https://hackerone.com/reports/3117837
x_refsource_MISC

CVSS V4

Score:
2.9
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-59427 : Vite Plugin Vulnerability Exposes Sensitive Files in Cloudflare Integration