CVE-2025-59427 LOW

CVE-2025-59427: Cloudflare vite plugin exposes secrets over the built-in dev server

Vendor Cloudflare
Product workers-sdk
Weakness CWE-200 · Info exposure
Published September 19, 2025
Last update September 19, 2025

CVSS base score

2.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as .env and .dev.vars. This vulnerability is fixed in 1.6.0.

Key dates

02Disclosure timeline

September 19, 2025 CVE published
September 19, 2025 Record updated