CVE-2025-31125 Scanner

Vite is a modern build tool developed for front-end web development, frequently used in projects involving frameworks like Vue, React, and Svelte. It is primarily used by developers to serve applications locally in development mode. The Vite development server provides fast hot module replacement (HMR) and an optimized environment for local testing. It is often used in modern front-end stacks where rapid development and testing cycles are essential. Developers commonly expose the Vite server using the `--host` flag, which can lead to potential network-level risks. The Vite community actively maintains and upgrades the tool as part of the frontend developer ecosystem.

The identified vulnerability is a path traversal flaw located in the Vite development server’s `@fs` endpoint. This vulnerability allows remote attackers to access sensitive files outside of the intended project root. When the server is misconfigured to be exposed over the network, attackers can send crafted requests to reach arbitrary file paths. Exploiting this may disclose system files or sensitive configuration files, especially on Linux and Windows environments. The vulnerability stems from improper path sanitization and lack of access restrictions. Although it is categorized as medium severity, it has serious implications in exposed environments.

This vulnerability is technically triggered via the `/@fs/` route used to serve files from the filesystem in Vite. By supplying relative paths such as `../../../../etc/passwd`, an attacker can navigate outside the intended directory structure. URL-encoded path traversal attempts (e.g., `%252e%252e`) are also successful due to lack of decoding restrictions. The requests return JavaScript payloads containing sensitive file contents encoded in base64. The issue is exploited when the development server is exposed to remote users, particularly via the `--host` configuration. Several crafted request variations can trigger this behavior consistently across affected versions.

If exploited, this vulnerability may allow attackers to read critical system files such as `/etc/passwd` or `C:/windows/win.ini`, which could lead to information disclosure. While this does not directly result in remote code execution, it can facilitate further attacks by revealing system configurations or user credentials. On shared or multi-user systems, this could lead to privilege escalation or leakage of environment-specific secrets. Developers unaware of the risks of exposing the development server might unknowingly allow lateral movement or reconnaissance activity. In high-security environments, even medium-severity information disclosures can have a cascading impact. Ensuring the server remains inaccessible from the outside is critical.

REFERENCES

• https://github.com/vitejs/vite/issues/8498
• https://github.com/vitejs/vite/pull/8804
• https://github.com/vitejs/vite/pull/8979
• https://nvd.nist.gov/vuln/detail/CVE-2025-31125