CVE-2025-31486 MEDIUM

CVE-2025-31486: Vite allows server.fs.deny to be bypassed with .svg or relative paths

Vendor Vitejs

Product vite

Weakness CWE-200 · Info exposure

Published April 3, 2025

Last update April 3, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.

Key dates

02Disclosure timeline

April 3, 2025 CVE published

April 3, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-31486

Related vulnerabilities

Identifiers

CVE CVE-2025-31486

CWE CWE-200

CVSS 5.3 / MEDIUM

Affected versions

Vendor Vitejs

Product vite

Affected < 4.5.12

Vendor Vitejs

Product vite

Affected >=5.0.0, < 5.4.17

Vendor Vitejs

Product vite

Affected >=6.0.0, < 6.0.14

Vendor Vitejs

Product vite

Affected >=6.1.0, < 6.1.4

Vendor Vitejs

Product vite

Affected >=6.2.0, < 6.2.5

CVE-2025-31486: Vite allows server.fs.deny to be bypassed with .svg or relative paths

01Description

02Disclosure timeline

03References

04Related CVE