VDB
CVE-2025-31486
CVE-2025-31486
PUBLISHED
CVSS 5.300000190734863 MEDIUM
Vite allows server.fs.deny to be bypassed with .svg or relative paths
EPSS 4.74% · 89.6th percentile
Risk Scores
CVSS v3.1
5.300000190734863
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score
4.74%
89.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| npm | vite | 6.1.0, 6.2.0, 6.0.0 |
| vitejs | vite | < 4.5.12, >=5.0.0, < 5.4.17, >=6.0.0, < 6.0.14 |
Timeline
- Apr 3, 2025 CVE Published
- Apr 3, 2025 CVE Updated
- Apr 3, 2025 PoC Published
- Apr 4, 2025 EPSS Score
- Apr 9, 2025 PoC Published
- Apr 17, 2025 EPSS Score
- Apr 30, 2025 EPSS Score
- May 25, 2025 EPSS Score
- May 31, 2025 PoC Published
- Jun 7, 2025 EPSS Score
- Jun 20, 2025 EPSS Score
- Jul 2, 2025 EPSS Score
References
- https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x url
- https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647 url
- https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-31486 advisory
- https://github.com/vitejs/vite package