{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-31125", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-26T15:04:52.626Z", "datePublished": "2025-03-31T17:06:30.704Z", "dateUpdated": "2025-03-31T17:59:26.675Z"}, "containers": {"cna": {"title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8"}, {"name": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949"}], "affected": [{"vendor": "vitejs", "product": "vite", "versions": [{"version": ">= 6.2.0, < 6.2.4", "status": "affected"}, {"version": ">= 6.1.0, < 6.1.3", "status": "affected"}, {"version": ">= 6.0.0, < 6.0.13", "status": "affected"}, {"version": ">= 5.0.0, < 5.4.16", "status": "affected"}, {"version": "< 4.5.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-31T17:31:51.583Z"}, "descriptions": [{"lang": "en", "value": "Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11."}], "source": {"advisory": "GHSA-4r4m-qw57-chr8", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-31T17:59:19.450898Z", "id": "CVE-2025-31125", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T17:59:26.675Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-31125", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-31T17:59:19.450898Z"}}}], "references": [{"url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T17:58:49.260Z"}}], "cna": {"title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query", "source": {"advisory": "GHSA-4r4m-qw57-chr8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "vitejs", "product": "vite", "versions": [{"status": "affected", "version": ">= 6.2.0, < 6.2.4"}, {"status": "affected", "version": ">= 6.1.0, < 6.1.3"}, {"status": "affected", "version": ">= 6.0.0, < 6.0.13"}, {"status": "affected", "version": ">= 5.0.0, < 5.4.16"}, {"status": "affected", "version": "< 4.5.11"}]}], "references": [{"url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8", "name": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949", "name": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-31T17:31:51.583Z"}}}, "cveMetadata": {"cveId": "CVE-2025-31125", "state": "PUBLISHED", "dateUpdated": "2025-03-31T17:59:26.675Z", "dateReserved": "2025-03-26T15:04:52.626Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-03-31T17:06:30.704Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11."}], "id": "CVE-2025-31125", "lastModified": "2025-04-01T20:26:22.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-03-31T17:15:43.163", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949"}, {"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "vite: Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query", "id": "2356283", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2356283"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "(CWE-200|CWE-284)", "details": ["Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.", "A flaw was found in the Vite Node.js package. Vite exposes content of non-allowed files using `?inline&import` or `?raw?import`. Only apps explicitly exposing the Vite dev server to the network (using the `--host` or `server.host` config options) are affected."], "name": "CVE-2025-31125", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-eda-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-gateway", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-gateway-opa-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-gateway-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-rhel8-operator", "product_name": "Red Hat OpenShift distributed tracing 3"}], "public_date": "2025-03-31T17:06:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-31125\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-31125\nhttps://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949\nhttps://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8"], "threat_severity": "Moderate"}