CVE-2025-31486 Information

Apr 04, 2025 cve

Description

Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using –host or server.host config option) are affected. This vulnerability is fixed in 4.5.12 5.4.17 6.0.14 6.1.4 and 6.2.5.

Reference

https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290 https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647 https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x

Share on: