5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-31125

GHSA ID

GHSA-4r4m-qw57-chr8

EPSS Score

0.92994%

CWE

CWE-200

Published

3/31/2025

Updated

3/31/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-31125

CVE-2025-31125: Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
content of non-allowed files is exposed using ?raw?import

/@fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@fs/C:/windows/win.ini?import&?inline=1.wasm?init

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-31125

GHSA ID

GHSA-4r4m-qw57-chr8

EPSS Score

0.92994%

CWE

CWE-200

Published

3/31/2025

Updated

3/31/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vite	npm	>= 6.2.0, < 6.2.4	6.2.4
vite	npm	>= 6.1.0, < 6.1.3	6.1.3
vite	npm	>= 6.0.0, < 6.0.13	6.0.13
vite	npm	>= 5.0.0, < 5.4.16	5.4.16
vite	npm	< 4.5.11	4.5.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incomplete query parameter validation in transformMiddleware. The patch shows:

Addition of inlineRE regex pattern for 'inline' query param
Expansion of the security check condition to include inlineRE.test()
This indicates the original vulnerability allowed requests with ?inline/raw?import to bypass ensureServingAccess checks
transformMiddleware is the primary request processing function that would appear in profiler when handling malicious URLs
The function signature matches the middleware pattern shown in the patch diff where security checks are applied

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T** *ont*nts o* *r*itr*ry *il*s **n ** r*turn** to t** *rows*r. ### Imp**t Only *pps *xpli*itly *xposin* t** Vit* **v s*rv*r to t** n*twork (usin* `--*ost` or [`s*rv*r.*ost` *on*i* option](*ttps://vit*js.**v/*on*i*/s*rv*r-options.*tml#s

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* qu*ry p*r*m*t*r v*li**tion in tr*ns*ormMi**l*w*r*. T** p*t** s*ows: *. ***ition o* inlin*R* r***x p*tt*rn *or 'inlin*' qu*ry p*r*m *. *xp*nsion o* t** s**urity ****k *on*ition to in*lu** inlin*R*.t*st() *. T*is

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-31125: Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Summary

Impact

Details

PoC

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI