CVE-2025-31125
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
1.5
Description
Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
CISA KEV
- Vendor
- Vite
- Product
- Vitejs
- Due date
- 2026-02-12
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949 ; https://nvd.nist.gov/vuln/detail/CVE-2025-31125
Exploits
References
- https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8
- https://nvd.nist.gov/vuln/detail/CVE-2025-31125
- https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949
- https://github.com/vitejs/vite
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31125
- This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949 ; https://nvd.nist.gov/vuln/detail/CVE-2025-31125
Verify integrity in audit chain (admin only). AS-IS.