#VU106382 Information disclosure in Vite - CVE-2025-31125

Cybersecurity Help s.r.o.

Published: 2025-04-02 | Updated: 2025-05-09

Vulnerability identifier: #VU106382

Vulnerability risk: Medium

CVSSv4.0: 5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2025-31125

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Vite
Other software / Other software solutions

Vendor: Vite

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the contents of arbitrary files can be returned to the browser. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Vite: 4.5.0 - 6.2.3

External links
https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Information disclosure in Vite