CVE-2025-31125

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-31125

Severity

5.3

Medium

CVSS V3

Summary

Vite has a server.fs.deny bypassed for inline and raw with ?import query

Description

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

References

https://images.chainguard.dev/security/CGA-4v6j-3x59-754c
https://github.com/advisories/GHSA-4r4m-qw57-chr8
https://images.chainguard.dev/security/CGA-p33q-w2cj-9fjc
https://images.chainguard.dev/security/CGA-67qh-ww6v-8fq5
https://images.chainguard.dev/security/CGA-mp63-jvp6-fr38
https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2025-31125

Severity

Summary

Description

References

Affected packages

The trusted source for open source

Product

Solutions

Customers

Resources

Company