VYPR
Medium severity5.3OSV Advisory· Published Apr 3, 2025· Updated Apr 15, 2026

CVE-2025-31486

CVE-2025-31486

Description

Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
vitenpm
>= 6.2.0, < 6.2.56.2.5
vitenpm
>= 6.1.0, < 6.1.46.1.4
vitenpm
>= 6.0.0, < 6.0.146.0.14
vitenpm
>= 5.0.0, < 5.4.175.4.17
vitenpm
< 4.5.124.5.12

Affected products

12

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.