Description

Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.

INFO

Published Date :

2025-04-03T18:24:39.616Z

Last Modified :

2025-04-03T20:39:28.939Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-31486 vulnerability.

Vendors Products
Vitejs
  • Vite
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-31486.

URL Resource
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290 cve-icon cve-icon cve-icon
https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647 cve-icon cve-icon cve-icon
https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x cve-icon cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-31486 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-31486 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact