Moderate severityCISA KEVNVD Advisory· Published Mar 31, 2025· Updated Jan 23, 2026
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
CVE-2025-31125
Description
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vitenpm | >= 6.2.0, < 6.2.4 | 6.2.4 |
vitenpm | >= 6.1.0, < 6.1.3 | 6.1.3 |
vitenpm | >= 6.0.0, < 6.0.13 | 6.0.13 |
vitenpm | >= 5.0.0, < 5.4.16 | 5.4.16 |
vitenpm | < 4.5.11 | 4.5.11 |
Affected products
18- osv-coords17 versionspkg:apk/chainguard/vitess-18.0pkg:apk/chainguard/vitess-18.0-binariespkg:apk/chainguard/vitess-19.0pkg:apk/chainguard/vitess-19.0-binariespkg:apk/chainguard/vitess-20.0pkg:apk/chainguard/vitess-20.0-binariespkg:apk/chainguard/vitess-20.0-compatpkg:apk/chainguard/vitess-21.0pkg:apk/chainguard/vitess-21.0-binariespkg:apk/chainguard/vitess-21.0-compatpkg:apk/wolfi/vitess-20.0pkg:apk/wolfi/vitess-20.0-binariespkg:apk/wolfi/vitess-20.0-compatpkg:apk/wolfi/vitess-21.0pkg:apk/wolfi/vitess-21.0-binariespkg:apk/wolfi/vitess-21.0-compatpkg:npm/vite
< 18.0.8-r10+ 16 more
- (no CPE)range: < 18.0.8-r10
- (no CPE)range: < 18.0.8-r10
- (no CPE)range: < 19.0.10-r5
- (no CPE)range: < 19.0.10-r5
- (no CPE)range: < 20.0.6-r6
- (no CPE)range: < 20.0.6-r6
- (no CPE)range: < 20.0.6-r6
- (no CPE)range: < 21.0.3-r5
- (no CPE)range: < 21.0.3-r5
- (no CPE)range: < 21.0.3-r5
- (no CPE)range: < 20.0.6-r6
- (no CPE)range: < 20.0.6-r6
- (no CPE)range: < 20.0.6-r6
- (no CPE)range: < 21.0.3-r5
- (no CPE)range: < 21.0.3-r5
- (no CPE)range: < 21.0.3-r5
- (no CPE)range: >= 6.2.0, < 6.2.4
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-4r4m-qw57-chr8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-31125ghsaADVISORY
- github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949ghsax_refsource_MISCWEB
- github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8ghsax_refsource_CONFIRMWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
News mentions
0No linked articles in our index yet.