Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
PoC: CVE-2025-31125
Vite WASM Import Path Traversal 🛡️
PoC: CVE-2025-31125
Vite 任意文件读取漏洞POC
PoC: Path-Transversal-CVE-2025-31125-
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
PoC: Vitejs-exploit
Vite Development Server's @fs endpoint (CVE-2025-31125) to access sensitive files like /etc/passwd and /etc/hosts via crafted URLs.
Get alerted for CVEs like this
Register your stack and get notified within minutes when a matching CVE drops.
Start monitoring free