N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4pfg-2mw5-f8jx

EPSS Score

CWE

CWE-200

Published

7/8/2025

Updated

7/8/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4pfg-2mw5-f8jx

GHSA-4pfg-2mw5-f8jx: Cloudflare Vite plugin exposes secrets over the built-in dev server

Summary

Note: originally posted on H1 but closed. Cross-posting over to here in abundance of caution instead of a public issue.

When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as:

.env
.dev.vars

PoC

Create a Workers project that utilises the @cloudflare/vite-plugin. For example:
- npm create cloudflare@latest - select Framework Starter -> React
Add any secret files to test if they're accessible. echo foobar=secret > .dev.vars for example
Run npm run dev to start the dev server (after running npm ci if necessary to install dependencies) and then hit the following to expose information:

curl http://localhost:5173/.env may expose any secrets in this file curl http://localhost:5173/.dev.vars may expose any secrets in this file curl http://localhost:5173/package.json may expose dependencies used by the project, potentially leading to other vulnerabilities curl http://localhost:5173/README.md may expose internal documentation

Impact

If the vite dev server is exposed on a public network, such as when a user simply uses wrangler to serve their application and doesn't publish to Cloudflare in production, an attacker may be able to acquire secrets that the user doesn't wish to be exposed.

Another common scenario where this could happen is when sharing previews of an application using cloudflared. npm run dev -> share preview with cloudflared -> now all secrets are exposed to the public internet.

Exposing via vite is possible via:

npm run dev -- -- --host 0.0.0.0

The default configuration has no reason to expose information outside of the configured assets directory.

Example:

curl http://somehost/.env may expose secrets curl http://somehost/.dev.vars may expose secrets curl http://somehost/package.json may expose dependencies used by the project, potentially leading to other vulnerabilities curl http://somehost/README.md may expose internal documentation

etc.

Information disclosure to anyone on the same network, or if the dev server is exposed such as via cloudflared as explored here: https://github.com/cloudflare/workers-sdk/discussions/3455#discussioncomment-6165773

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4pfg-2mw5-f8jx

EPSS Score

CWE

CWE-200

Published

7/8/2025

Updated

7/8/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@cloudflare/vite-plugin	npm	< 1.6.0	1.6.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an information disclosure issue within the @cloudflare/vite-plugin. The root cause is the lack of file access restrictions in the default configuration of the Vite development server set up by the plugin. The cloudflare function in packages/vite-plugin-cloudflare/src/index.ts is the main entry point for the plugin and is responsible for generating this configuration. The analysis of the fixing commit 0e500720bf70016fa4ea21fc8959c4bd764ebc38 shows that the vulnerability was patched by adding a server.fs.deny array to the configuration object returned by the cloudflare function. This new configuration explicitly prevents the Vite dev server from serving sensitive files such as .env and .dev.vars. Since the cloudflare function was responsible for creating the insecure configuration, it is identified as the vulnerable function. Any runtime profiler would show this function being called as part of the Vite server setup process.

Vulnerable functions

cloudflare

packages/vite-plugin-cloudflare/src/index.ts

The `cloudflare` function is responsible for creating the Vite plugin configuration. Prior to the patch, the configuration object returned by this function did not specify any file system restrictions for the development server. This resulted in the server allowing access to any file in the project directory, including sensitive ones like `.env` and `.dev.vars`. The patch rectifies this by adding the `server.fs.deny` property to the configuration, explicitly blocking access to a list of sensitive files and patterns.

WAF Protection Rules

WAF Rule

### Summ*ry Not*: [ori*in*lly post** on **](*ttps://***k*ron*.*om/r*ports/*******) *ut *los**. *ross-postin* ov*r to **r* in **un**n** o* **ution inst*** o* * pu*li* issu*. W**n utilisin* t** *lou**l*r* Vit* plu*in in its ****ult *on*i*ur*tion, *l

Reasoning

T** vuln*r**ility is *n in*orm*tion *is*losur* issu* wit*in t** `@*lou**l*r*/vit*-plu*in`. T** root **us* is t** l**k o* *il* ****ss r*stri*tions in t** ****ult *on*i*ur*tion o* t** Vit* **v*lopm*nt s*rv*r s*t up *y t** plu*in. T** `*lou**l*r*` *un*t

N/A

Basic Information

Concerned about an active attack path?

GHSA-4pfg-2mw5-f8jx: Cloudflare Vite plugin exposes secrets over the built-in dev server

Summary

PoC

Impact

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI