VDB

CVE-2025-31125

CVE-2025-31125 PUBLISHED KEV CVSS 5.300000190734863 MEDIUM

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

EPSS 83.24% · 99.3th percentile

Risk Scores

CVSS v3.1
5.300000190734863
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score
83.24%
99.3th percentile

Affected Products

VendorProductVersions
vitejsvite6.0.0, < 4.5.11, 5.0.0
npmvite6.2.0, 6.1.0, 6.0.0

Timeline

  • Jan 21, 1970 VulnCheck XDB Entry
  • Jan 21, 1970 VulnCheck XDB Entry
  • Jan 21, 1970 VulnCheck XDB Entry
  • Jan 21, 1970 VulnCheck XDB Entry
  • Jan 21, 1970 VulnCheck XDB Entry
  • Mar 31, 2025 CVE Published
  • Apr 1, 2025 EPSS Score
  • Apr 3, 2025 PoC Published
  • Apr 4, 2025 PoC Published
  • Apr 7, 2025 PoC Published
  • Apr 15, 2025 EPSS Score
  • Apr 18, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›