CVE-2025-59427

Cloudflare vite plugin exposes secrets over the built-in dev server

Description

The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as .env and .dev.vars. This vulnerability is fixed in 1.6.0.

INFO

Published Date :

2025-09-19T15:30:10.139Z

Last Modified :

2025-09-19T16:05:12.864Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-59427 vulnerability.

Vendors	Products
Cloudflare	Vite Workerd

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-59427.

URL	Resource
https://github.com/cloudflare/workers-sdk/commit/0e500720bf70016fa4ea21fc8959c4bd764ebc38
https://github.com/cloudflare/workers-sdk/discussions/3455#discussioncomment-6165773
https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-4pfg-2mw5-f8jx
https://hackerone.com/reports/3117837

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability