CVE-2025-31125 MEDIUM

CVE-2025-31125: Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Vendor Vitejs
Product vite
Weakness CWE-200 · Info exposure
KEV Status Known Exploited
Published March 31, 2025
Last update January 23, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

March 31, 2025 CVE published
January 23, 2026 Record updated