Medium severity5.3OSV Advisory· Published Apr 3, 2025· Updated Apr 15, 2026
CVE-2025-31486
CVE-2025-31486
Description
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vitenpm | >= 6.2.0, < 6.2.5 | 6.2.5 |
vitenpm | >= 6.1.0, < 6.1.4 | 6.1.4 |
vitenpm | >= 6.0.0, < 6.0.14 | 6.0.14 |
vitenpm | >= 5.0.0, < 5.4.17 | 5.4.17 |
vitenpm | < 4.5.12 | 4.5.12 |
Affected products
12- osv-coords11 versionspkg:apk/chainguard/vitess-18.0pkg:apk/chainguard/vitess-18.0-binariespkg:apk/chainguard/vitess-19.0pkg:apk/chainguard/vitess-19.0-binariespkg:apk/chainguard/vitess-20.0pkg:apk/chainguard/vitess-20.0-binariespkg:apk/chainguard/vitess-20.0-compatpkg:apk/wolfi/vitess-20.0pkg:apk/wolfi/vitess-20.0-binariespkg:apk/wolfi/vitess-20.0-compatpkg:npm/vite
< 18.0.8-r11+ 10 more
- (no CPE)range: < 18.0.8-r11
- (no CPE)range: < 18.0.8-r11
- (no CPE)range: < 19.0.10-r6
- (no CPE)range: < 19.0.10-r6
- (no CPE)range: < 20.0.6-r7
- (no CPE)range: < 20.0.6-r7
- (no CPE)range: < 20.0.6-r7
- (no CPE)range: < 20.0.6-r7
- (no CPE)range: < 20.0.6-r7
- (no CPE)range: < 20.0.6-r7
- (no CPE)range: >= 6.2.0, < 6.2.5
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-xcj6-pq6g-qj4xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-31486ghsaADVISORY
- github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.tsnvdWEB
- github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647nvdWEB
- github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4xnvdWEB
News mentions
0No linked articles in our index yet.