VYPR
Moderate severityCISA KEVNVD Advisory· Published Mar 31, 2025· Updated Jan 23, 2026

Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

CVE-2025-31125

Description

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
vitenpm
>= 6.2.0, < 6.2.46.2.4
vitenpm
>= 6.1.0, < 6.1.36.1.3
vitenpm
>= 6.0.0, < 6.0.136.0.13
vitenpm
>= 5.0.0, < 5.4.165.4.16
vitenpm
< 4.5.114.5.11

Affected products

18

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.