Skip to main content

Vite CVE-2025-31125

MEDIUM
Information Exposure (CWE-200)
2025-03-31 security-advisories@github.com
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Mar 28, 2026 - 18:34 vuln.today
Patch released
Mar 28, 2026 - 18:34 nvd
Patch available
Added to CISA KEV
Jan 23, 2026 - 18:39 cisa
CISA KEV
PoC Detected
Jan 23, 2026 - 18:39 vuln.today
Public exploit code
CVE Published
Mar 31, 2025 - 17:15 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 20 npm packages depend on vite (9 direct, 11 indirect)

Ecosystem-wide dependent count for version 6.2.0.

DescriptionGitHub Advisory

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

AnalysisAI

Vite is a frontend tooling framework for javascript. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. Actively exploited in the wild (cisa kev) and public exploit code available.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11. Affected products include: Vitejs Vite.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

More in Vite

View all
CVE-2025-30208 MEDIUM POC
5.3 Mar 24

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15,

CVE-2024-52011 HIGH POC
7.5 Jun 01

launch-editor allows users to open files with line numbers in editor from Node.js. Rated high severity (CVSS 7.5), this

CVE-2024-23331 HIGH POC
7.5 Jan 19

Vite is a frontend tooling framework for javascript. Rated high severity (CVSS 7.5), this vulnerability is remotely expl

CVE-2023-34092 HIGH POC
7.5 Jun 01

Vite provides frontend tooling. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentic

CVE-2025-46565 MEDIUM POC
6.0 May 01

Vite is a frontend tooling framework for javascript. Rated medium severity (CVSS 6.0), this vulnerability is remotely ex

CVE-2023-49293 MEDIUM POC
6.1 Dec 04

Vite is a website frontend framework. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no a

CVE-2022-35204 MEDIUM POC
4.3 Aug 18

Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the v

CVE-2025-58751 LOW POC
2.3 Sep 08

Vite is a frontend tooling framework for JavaScript. Rated low severity (CVSS 2.3), this vulnerability is remotely explo

CVE-2025-58752 LOW POC
2.3 Sep 08

Vite is a frontend tooling framework for JavaScript. Rated low severity (CVSS 2.3), this vulnerability is remotely explo

CVE-2025-24010 MEDIUM POC
6.5 Jan 20

Vite is a frontend tooling framework for javascript. Rated medium severity (CVSS 6.5), this vulnerability is remotely ex

Vendor StatusVendor

Share

CVE-2025-31125 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy