Low severityOSV Advisory· Published Sep 19, 2025· Updated Apr 15, 2026

CVE-2025-59427

Description

The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as .env and .dev.vars. This vulnerability is fixed in 1.6.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@cloudflare/vite-pluginnpm	< 1.6.0	1.6.0

Affected products

Cloudflare/Workers SdkOSV
Range: @cloudflare/chrome-devtools-patches@0.1.1, @cloudflare/chrome-devtools-patches@0.1.2, @cloudflare/kv-asset-handler@0.3.2, …

Patches

ccbeaf6bddad

Version Packages (#9557)

https://github.com/cloudflare/workers-sdkANT BotJun 12, 2025via osv

commit

24 files changed · +105 −88

.changeset/clean-eyes-lead.md+0 −10 removed

@@ -1,10 +0,0 @@
----
-"wrangler": patch
----
-
-slightly improve wrangler dev bindings loggings
-
-improve the bindings loggings by:
-
-- removing the unnecessary (and potentially incorrect) `[connected]` suffix for remote bindings
-- making sure that the modes presented in the bindings logs are correctly aligned

.changeset/dirty-dryers-tie.md+0 −6 removed

@@ -1,6 +0,0 @@
----
-"miniflare": patch
-"wrangler": patch
----
-
-add hello world binding that serves as as an explanatory example.

.changeset/famous-candies-start.md+0 −5 removed

@@ -1,5 +0,0 @@
----
-"wrangler": patch
----
-
-add workerName option to startMixedModeSession API

.changeset/five-shoes-call.md+0 −5 removed

@@ -1,5 +0,0 @@
----
-"wrangler": patch
----
-
-make workers created with `startWorker` await the `ready` promise on `dispose`

.changeset/forty-waves-stare.md+0 −5 removed

@@ -1,5 +0,0 @@
----
-"@cloudflare/vitest-pool-workers": patch
----
-
-Add support for Vitest 3.2.x

.changeset/lemon-laws-mate.md+0 −6 removed

@@ -1,6 +0,0 @@
----
-"miniflare": patch
-"wrangler": patch
----
-
-add mixed-mode support for mtls bindings

.changeset/nasty-pots-cheat.md+0 −5 removed

@@ -1,5 +0,0 @@
----
-"@cloudflare/vite-plugin": patch
----
-
-Ensure that .dev.vars files cannot be accessed via the dev server or preview server.

.changeset/pink-ties-relate.md+0 −5 removed

@@ -1,5 +0,0 @@
----
-"wrangler": patch
----
-
-make sure that remote binding errors are surfaced when using mixed (hybrid) mode

.changeset/rich-bottles-hug.md+0 −5 removed

@@ -1,5 +0,0 @@
----
-"wrangler": patch
----
-
-Reorder deploy output when deploying a container worker so the worker url is printed last and the worker triggers aren't deployed until the container has been built and deployed successfully.

.changeset/salty-ducks-repair.md+0 −5 removed

@@ -1,5 +0,0 @@
----
-"create-cloudflare": patch
----
-
-update vitest version on hello-world and hello-world-with-assets templates

.changeset/stale-boats-fold.md+0 −10 removed

@@ -1,10 +0,0 @@
----
-"miniflare": minor
-"wrangler": minor
----
-
-feat: add static routing options via 'run_worker_first' to Wrangler
-
-Implements the proposal noted here https://github.com/cloudflare/workers-sdk/discussions/9143.
-
-This is now usable in `wrangler dev` and in production - just specify the routes that should hit the worker first with `run_worker_first` in your Wrangler config. You can also omit certain paths with `!` negative rules.

.changeset/tidy-hoops-win.md+0 −15 removed

@@ -1,15 +0,0 @@
----
-"@cloudflare/vite-plugin": minor
----
-
-Enhanced build support for Workers with assets.
-
-Assets that are imported in the entry Worker are now automatically moved to the client build output. This enables importing assets in your Worker and accessing them via the [assets binding](https://developers.cloudflare.com/workers/static-assets/binding/#binding). See [Static Asset Handling](https://vite.dev/guide/assets) to find out about all the ways you can import assets in Vite.
-
-Additionally, a broader range of build scenarios are now supported. These are:
-
-- Assets only build with client entry/entries
-- Assets only build with no client entry/entries that includes `public` directory assets
-- Worker(s) + assets build with client entry/entries
-- Worker(s) + assets build with no client entry/entries that includes imported and/or `public` directory assets
-- Worker(s) build with no assets

packages/create-cloudflare/CHANGELOG.md+6 −0 modified

@@ -1,5 +1,11 @@
 # create-cloudflare
 
+## 2.49.2
+
+### Patch Changes
+
+- [#9439](https://github.com/cloudflare/workers-sdk/pull/9439) [`8d648e7`](https://github.com/cloudflare/workers-sdk/commit/8d648e7c2f94cf315cdfffad6ee43e01e82a0947) Thanks [@edmundhung](https://github.com/edmundhung)! - update vitest version on hello-world and hello-world-with-assets templates
+
 ## 2.49.1
 
 ### Patch Changes

packages/create-cloudflare/package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
 	"name": "create-cloudflare",
-	"version": "2.49.1",
+	"version": "2.49.2",
 	"description": "A CLI for creating and deploying new applications to Cloudflare.",
 	"keywords": [
 		"cloudflare",

packages/miniflare/CHANGELOG.md+16 −0 modified

@@ -1,5 +1,21 @@
 # miniflare
 
+## 4.20250604.1
+
+### Minor Changes
+
+- [#9509](https://github.com/cloudflare/workers-sdk/pull/9509) [`0b2ba45`](https://github.com/cloudflare/workers-sdk/commit/0b2ba4590ca59f1d95d7262e64adeefebe6a3e7e) Thanks [@emily-shen](https://github.com/emily-shen)! - feat: add static routing options via 'run_worker_first' to Wrangler
+
+  Implements the proposal noted here https://github.com/cloudflare/workers-sdk/discussions/9143.
+
+  This is now usable in `wrangler dev` and in production - just specify the routes that should hit the worker first with `run_worker_first` in your Wrangler config. You can also omit certain paths with `!` negative rules.
+
+### Patch Changes
+
+- [#9475](https://github.com/cloudflare/workers-sdk/pull/9475) [`931f467`](https://github.com/cloudflare/workers-sdk/commit/931f467e39f70abfd0e1c08172f330e6e3de02a3) Thanks [@edmundhung](https://github.com/edmundhung)! - add hello world binding that serves as as an explanatory example.
+
+- [#9443](https://github.com/cloudflare/workers-sdk/pull/9443) [`95eb47d`](https://github.com/cloudflare/workers-sdk/commit/95eb47d2c6adcff9a475c0cd507a72bd2e83f3b1) Thanks [@dario-piotrowicz](https://github.com/dario-piotrowicz)! - add mixed-mode support for mtls bindings
+
 ## 4.20250604.0
 
 ### Patch Changes

packages/miniflare/package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
 	"name": "miniflare",
-	"version": "4.20250604.0",
+	"version": "4.20250604.1",
 	"description": "Fun, full-featured, fully-local simulator for Cloudflare Workers",
 	"keywords": [
 		"cloudflare",

packages/pages-shared/CHANGELOG.md+7 −0 modified

@@ -1,5 +1,12 @@
 # @cloudflare/pages-shared
 
+## 0.13.45
+
+### Patch Changes
+
+- Updated dependencies [[`931f467`](https://github.com/cloudflare/workers-sdk/commit/931f467e39f70abfd0e1c08172f330e6e3de02a3), [`95eb47d`](https://github.com/cloudflare/workers-sdk/commit/95eb47d2c6adcff9a475c0cd507a72bd2e83f3b1), [`0b2ba45`](https://github.com/cloudflare/workers-sdk/commit/0b2ba4590ca59f1d95d7262e64adeefebe6a3e7e)]:
+  - miniflare@4.20250604.1
+
 ## 0.13.44
 
 ### Patch Changes

packages/pages-shared/package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
 	"name": "@cloudflare/pages-shared",
-	"version": "0.13.44",
+	"version": "0.13.45",
 	"repository": {
 		"type": "git",
 		"url": "https://github.com/cloudflare/workers-sdk.git",

packages/vite-plugin-cloudflare/CHANGELOG.md+25 −0 modified

@@ -1,5 +1,30 @@
 # @cloudflare/vite-plugin
 
+## 1.6.0
+
+### Minor Changes
+
+- [#9510](https://github.com/cloudflare/workers-sdk/pull/9510) [`590d69b`](https://github.com/cloudflare/workers-sdk/commit/590d69b7b46954947d0b3f9dacd7da7417e736b7) Thanks [@jamesopstad](https://github.com/jamesopstad)! - Enhanced build support for Workers with assets.
+
+  Assets that are imported in the entry Worker are now automatically moved to the client build output. This enables importing assets in your Worker and accessing them via the [assets binding](https://developers.cloudflare.com/workers/static-assets/binding/#binding). See [Static Asset Handling](https://vite.dev/guide/assets) to find out about all the ways you can import assets in Vite.
+
+  Additionally, a broader range of build scenarios are now supported. These are:
+
+  - Assets only build with client entry/entries
+  - Assets only build with no client entry/entries that includes `public` directory assets
+  - Worker(s) + assets build with client entry/entries
+  - Worker(s) + assets build with no client entry/entries that includes imported and/or `public` directory assets
+  - Worker(s) build with no assets
+
+### Patch Changes
+
+- [#9513](https://github.com/cloudflare/workers-sdk/pull/9513) [`0e50072`](https://github.com/cloudflare/workers-sdk/commit/0e500720bf70016fa4ea21fc8959c4bd764ebc38) Thanks [@jamesopstad](https://github.com/jamesopstad)! - Ensure that .dev.vars files cannot be accessed via the dev server or preview server.
+
+- Updated dependencies [[`1914b87`](https://github.com/cloudflare/workers-sdk/commit/1914b87e254bb733298cb0c0e96bb0bd234acde4), [`931f467`](https://github.com/cloudflare/workers-sdk/commit/931f467e39f70abfd0e1c08172f330e6e3de02a3), [`95eb47d`](https://github.com/cloudflare/workers-sdk/commit/95eb47d2c6adcff9a475c0cd507a72bd2e83f3b1), [`80b8bd9`](https://github.com/cloudflare/workers-sdk/commit/80b8bd93e6dd931a7b216645a6f249642c420dee), [`95eb47d`](https://github.com/cloudflare/workers-sdk/commit/95eb47d2c6adcff9a475c0cd507a72bd2e83f3b1), [`9e4cd16`](https://github.com/cloudflare/workers-sdk/commit/9e4cd16ce1639cc6763f5c50b9478eece7f4be73), [`92305af`](https://github.com/cloudflare/workers-sdk/commit/92305af0a7efa68fc0e13e3549f88d19f3cb069b), [`0b2ba45`](https://github.com/cloudflare/workers-sdk/commit/0b2ba4590ca59f1d95d7262e64adeefebe6a3e7e)]:
+  - wrangler@4.20.0
+  - miniflare@4.20250604.1
+  - @cloudflare/unenv-preset@2.3.3
+
 ## 1.5.1
 
 ### Patch Changes

packages/vite-plugin-cloudflare/package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
 	"name": "@cloudflare/vite-plugin",
-	"version": "1.5.1",
+	"version": "1.6.0",
 	"description": "Cloudflare plugin for Vite",
 	"keywords": [
 		"cloudflare",

packages/vitest-pool-workers/CHANGELOG.md+10 −0 modified

@@ -1,5 +1,15 @@
 # @cloudflare/vitest-pool-workers
 
+## 0.8.38
+
+### Patch Changes
+
+- [#9439](https://github.com/cloudflare/workers-sdk/pull/9439) [`8d648e7`](https://github.com/cloudflare/workers-sdk/commit/8d648e7c2f94cf315cdfffad6ee43e01e82a0947) Thanks [@edmundhung](https://github.com/edmundhung)! - Add support for Vitest 3.2.x
+
+- Updated dependencies [[`1914b87`](https://github.com/cloudflare/workers-sdk/commit/1914b87e254bb733298cb0c0e96bb0bd234acde4), [`931f467`](https://github.com/cloudflare/workers-sdk/commit/931f467e39f70abfd0e1c08172f330e6e3de02a3), [`95eb47d`](https://github.com/cloudflare/workers-sdk/commit/95eb47d2c6adcff9a475c0cd507a72bd2e83f3b1), [`80b8bd9`](https://github.com/cloudflare/workers-sdk/commit/80b8bd93e6dd931a7b216645a6f249642c420dee), [`95eb47d`](https://github.com/cloudflare/workers-sdk/commit/95eb47d2c6adcff9a475c0cd507a72bd2e83f3b1), [`9e4cd16`](https://github.com/cloudflare/workers-sdk/commit/9e4cd16ce1639cc6763f5c50b9478eece7f4be73), [`92305af`](https://github.com/cloudflare/workers-sdk/commit/92305af0a7efa68fc0e13e3549f88d19f3cb069b), [`0b2ba45`](https://github.com/cloudflare/workers-sdk/commit/0b2ba4590ca59f1d95d7262e64adeefebe6a3e7e)]:
+  - wrangler@4.20.0
+  - miniflare@4.20250604.1
+
 ## 0.8.37
 
 ### Patch Changes

packages/vitest-pool-workers/package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
 	"name": "@cloudflare/vitest-pool-workers",
-	"version": "0.8.37",
+	"version": "0.8.38",
 	"description": "Workers Vitest integration for writing Vitest unit and integration tests that run inside the Workers runtime",
 	"keywords": [
 		"cloudflare",

packages/wrangler/CHANGELOG.md+35 −0 modified

@@ -1,5 +1,40 @@
 # wrangler
 
+## 4.20.0
+
+### Minor Changes
+
+- [#9509](https://github.com/cloudflare/workers-sdk/pull/9509) [`0b2ba45`](https://github.com/cloudflare/workers-sdk/commit/0b2ba4590ca59f1d95d7262e64adeefebe6a3e7e) Thanks [@emily-shen](https://github.com/emily-shen)! - feat: add static routing options via 'run_worker_first' to Wrangler
+
+  Implements the proposal noted here https://github.com/cloudflare/workers-sdk/discussions/9143.
+
+  This is now usable in `wrangler dev` and in production - just specify the routes that should hit the worker first with `run_worker_first` in your Wrangler config. You can also omit certain paths with `!` negative rules.
+
+### Patch Changes
+
+- [#9507](https://github.com/cloudflare/workers-sdk/pull/9507) [`1914b87`](https://github.com/cloudflare/workers-sdk/commit/1914b87e254bb733298cb0c0e96bb0bd234acde4) Thanks [@dario-piotrowicz](https://github.com/dario-piotrowicz)! - slightly improve wrangler dev bindings loggings
+
+  improve the bindings loggings by:
+
+  - removing the unnecessary (and potentially incorrect) `[connected]` suffix for remote bindings
+  - making sure that the modes presented in the bindings logs are correctly aligned
+
+- [#9475](https://github.com/cloudflare/workers-sdk/pull/9475) [`931f467`](https://github.com/cloudflare/workers-sdk/commit/931f467e39f70abfd0e1c08172f330e6e3de02a3) Thanks [@edmundhung](https://github.com/edmundhung)! - add hello world binding that serves as as an explanatory example.
+
+- [#9443](https://github.com/cloudflare/workers-sdk/pull/9443) [`95eb47d`](https://github.com/cloudflare/workers-sdk/commit/95eb47d2c6adcff9a475c0cd507a72bd2e83f3b1) Thanks [@dario-piotrowicz](https://github.com/dario-piotrowicz)! - add workerName option to startMixedModeSession API
+
+- [#9541](https://github.com/cloudflare/workers-sdk/pull/9541) [`80b8bd9`](https://github.com/cloudflare/workers-sdk/commit/80b8bd93e6dd931a7b216645a6f249642c420dee) Thanks [@dario-piotrowicz](https://github.com/dario-piotrowicz)! - make workers created with `startWorker` await the `ready` promise on `dispose`
+
+- [#9443](https://github.com/cloudflare/workers-sdk/pull/9443) [`95eb47d`](https://github.com/cloudflare/workers-sdk/commit/95eb47d2c6adcff9a475c0cd507a72bd2e83f3b1) Thanks [@dario-piotrowicz](https://github.com/dario-piotrowicz)! - add mixed-mode support for mtls bindings
+
+- [#9515](https://github.com/cloudflare/workers-sdk/pull/9515) [`9e4cd16`](https://github.com/cloudflare/workers-sdk/commit/9e4cd16ce1639cc6763f5c50b9478eece7f4be73) Thanks [@dario-piotrowicz](https://github.com/dario-piotrowicz)! - make sure that remote binding errors are surfaced when using mixed (hybrid) mode
+
+- [#9516](https://github.com/cloudflare/workers-sdk/pull/9516) [`92305af`](https://github.com/cloudflare/workers-sdk/commit/92305af0a7efa68fc0e13e3549f88d19f3cb069b) Thanks [@IRCody](https://github.com/IRCody)! - Reorder deploy output when deploying a container worker so the worker url is printed last and the worker triggers aren't deployed until the container has been built and deployed successfully.
+
+- Updated dependencies [[`931f467`](https://github.com/cloudflare/workers-sdk/commit/931f467e39f70abfd0e1c08172f330e6e3de02a3), [`95eb47d`](https://github.com/cloudflare/workers-sdk/commit/95eb47d2c6adcff9a475c0cd507a72bd2e83f3b1), [`0b2ba45`](https://github.com/cloudflare/workers-sdk/commit/0b2ba4590ca59f1d95d7262e64adeefebe6a3e7e)]:
+  - miniflare@4.20250604.1
+  - @cloudflare/unenv-preset@2.3.3
+
 ## 4.19.2
 
 ### Patch Changes

packages/wrangler/package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
 	"name": "wrangler",
-	"version": "4.19.2",
+	"version": "4.20.0",
 	"description": "Command-line interface for all things Cloudflare Workers",
 	"keywords": [
 		"wrangler",

0e500720bf70

Restrict access to .dev.vars files (#9513)

https://github.com/cloudflare/workers-sdkJames OpstadJun 11, 2025via ghsa

commit

18 files changed · +165 −0

.changeset/nasty-pots-cheat.md+5 −0 added

@@ -0,0 +1,5 @@
+---
+"@cloudflare/vite-plugin": patch
+---
+
+Ensure that .dev.vars files cannot be accessed via the dev server or preview server.

packages/vite-plugin-cloudflare/playground/sensitive-files/custom-sensitive-file+1 −0 added
```
@@ -0,0 +1 @@
+Sensitive content
```
packages/vite-plugin-cloudflare/playground/sensitive-files/.dev.vars+1 −0 added
```
@@ -0,0 +1 @@
+DEV_VAR=dev-var
```
packages/vite-plugin-cloudflare/playground/sensitive-files/.dev.vars.staging+1 −0 added
```
@@ -0,0 +1 @@
+STAGING_DEV_VAR=staging-dev-var
```
packages/vite-plugin-cloudflare/playground/sensitive-files/.env+1 −0 added
```
@@ -0,0 +1 @@
+ENV_VAR=env-var
```
packages/vite-plugin-cloudflare/playground/sensitive-files/.env.staging+1 −0 added
```
@@ -0,0 +1 @@
+STAGING_ENV_VAR=staging-env-var
```
packages/vite-plugin-cloudflare/playground/sensitive-files/.gitignore+2 −0 added
```
@@ -0,0 +1,2 @@
+!.env*
+!.dev.vars*
```

packages/vite-plugin-cloudflare/playground/sensitive-files/package.json+19 −0 added

@@ -0,0 +1,19 @@
+{
+	"name": "@playground/sensitive-files",
+	"private": true,
+	"type": "module",
+	"scripts": {
+		"build": "vite build",
+		"check:types": "tsc --build",
+		"dev": "vite dev",
+		"preview": "vite preview"
+	},
+	"devDependencies": {
+		"@cloudflare/vite-plugin": "workspace:*",
+		"@cloudflare/workers-tsconfig": "workspace:*",
+		"@cloudflare/workers-types": "^4.20250604.0",
+		"typescript": "catalog:default",
+		"vite": "catalog:vite-plugin",
+		"wrangler": "workspace:*"
+	}
+}

packages/vite-plugin-cloudflare/playground/sensitive-files/src/index.ts+5 −0 added

@@ -0,0 +1,5 @@
+export default {
+	async fetch() {
+		return new Response("Worker response");
+	},
+} satisfies ExportedHandler;

packages/vite-plugin-cloudflare/playground/sensitive-files/__tests__/sensitive-files.spec.ts+56 −0 added

@@ -0,0 +1,56 @@
+import { describe, expect, test } from "vitest";
+import { getResponse, getTextResponse, isBuild } from "../../__test-utils__";
+
+describe.skipIf(isBuild)("denies access to sensitive files in dev", () => {
+	test("denies access to .env", async () => {
+		const response = await getResponse("/.env");
+		expect(response.status()).toBe(403);
+	});
+
+	test("denies access to .env.*", async () => {
+		const response = await getResponse("/.env.staging");
+		expect(response.status()).toBe(403);
+	});
+
+	test("denies access to .dev.vars", async () => {
+		const response = await getResponse("/.dev.vars");
+		expect(response.status()).toBe(403);
+	});
+
+	test("denies access to .dev.vars.*", async () => {
+		const response = await getResponse("/.dev.vars.staging");
+		expect(response.status()).toBe(403);
+	});
+
+	test("denies access to custom-sensitive-file", async () => {
+		const response = await getResponse("/custom-sensitive-file");
+		expect(response.status()).toBe(403);
+	});
+});
+
+describe.runIf(isBuild)("doesn't serve sensitive files in preview", () => {
+	test("doesn't serve .env", async () => {
+		const response = await getTextResponse("/.env");
+		expect(response).toBe("Worker response");
+	});
+
+	test("doesn't serve .env.*", async () => {
+		const response = await getTextResponse("/.env.staging");
+		expect(response).toBe("Worker response");
+	});
+
+	test("doesn't serve .dev.vars", async () => {
+		const response = await getTextResponse("/.dev.vars");
+		expect(response).toBe("Worker response");
+	});
+
+	test("doesn't serve .dev.vars.*", async () => {
+		const response = await getTextResponse("/.dev.vars.staging");
+		expect(response).toBe("Worker response");
+	});
+
+	test("doesn't serve custom-sensitive-file", async () => {
+		const response = await getTextResponse("/custom-sensitive-file");
+		expect(response).toBe("Worker response");
+	});
+});

packages/vite-plugin-cloudflare/playground/sensitive-files/tsconfig.json+7 −0 added

@@ -0,0 +1,7 @@
+{
+	"files": [],
+	"references": [
+		{ "path": "./tsconfig.node.json" },
+		{ "path": "./tsconfig.worker.json" }
+	]
+}

packages/vite-plugin-cloudflare/playground/sensitive-files/tsconfig.node.json+4 −0 added

@@ -0,0 +1,4 @@
+{
+	"extends": ["@cloudflare/workers-tsconfig/base.json"],
+	"include": ["vite.config.ts", "__tests__"]
+}

packages/vite-plugin-cloudflare/playground/sensitive-files/tsconfig.worker.json+4 −0 added

@@ -0,0 +1,4 @@
+{
+	"extends": ["@cloudflare/workers-tsconfig/worker.json"],
+	"include": ["src"]
+}

packages/vite-plugin-cloudflare/playground/sensitive-files/turbo.json+9 −0 added

@@ -0,0 +1,9 @@
+{
+	"$schema": "http://turbo.build/schema.json",
+	"extends": ["//"],
+	"tasks": {
+		"build": {
+			"outputs": ["dist/**"]
+		}
+	}
+}

packages/vite-plugin-cloudflare/playground/sensitive-files/vite.config.ts+11 −0 added

@@ -0,0 +1,11 @@
+import { cloudflare } from "@cloudflare/vite-plugin";
+import { defineConfig } from "vite";
+
+export default defineConfig({
+	server: {
+		fs: {
+			deny: ["custom-sensitive-file"],
+		},
+	},
+	plugins: [cloudflare({ inspectorPort: false, persistState: false })],
+});

packages/vite-plugin-cloudflare/playground/sensitive-files/wrangler.jsonc+5 −0 added

@@ -0,0 +1,5 @@
+{
+	"name": "worker",
+	"main": "./src/index.ts",
+	"compatibility_date": "2024-12-30",
+}

packages/vite-plugin-cloudflare/src/index.ts+12 −0 modified

@@ -115,8 +115,20 @@ export function cloudflare(pluginConfig: PluginConfig = {}): vite.Plugin[] {
 					}
 				}
 
+				const defaultDeniedFiles = [
+					".env",
+					".env.*",
+					"*.{crt,pem}",
+					"**/.git/**",
+				];
+
 				return {
 					appType: "custom",
+					server: {
+						fs: {
+							deny: [...defaultDeniedFiles, ".dev.vars", ".dev.vars.*"],
+						},
+					},
 					environments:
 						resolvedPluginConfig.type === "workers"
 							? {

pnpm-lock.yaml+21 −0 modified

@@ -2752,6 +2752,27 @@ importers:
         specifier: workspace:*
         version: link:../../../wrangler
 
+  packages/vite-plugin-cloudflare/playground/sensitive-files:
+    devDependencies:
+      '@cloudflare/vite-plugin':
+        specifier: workspace:*
+        version: link:../..
+      '@cloudflare/workers-tsconfig':
+        specifier: workspace:*
+        version: link:../../../workers-tsconfig
+      '@cloudflare/workers-types':
+        specifier: ^4.20250604.0
+        version: 4.20250604.0
+      typescript:
+        specifier: catalog:default
+        version: 5.7.3
+      vite:
+        specifier: catalog:vite-plugin
+        version: 6.1.0(@types/node@20.17.32)(jiti@2.4.2)(lightningcss@1.29.2)
+      wrangler:
+        specifier: workspace:*
+        version: link:../../../wrangler
+
   packages/vite-plugin-cloudflare/playground/spa-with-api:
     dependencies:
       react:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000