Hillstone Networks

RULE（RULE ID：338783）

Rule General Information


Release Date:		2025-04-08

Rule Name:		Vite Arbitrary File Read Vulnerability (CVE-2025-31125 CVE-2025-31486)

Severity:

CVE ID:

Rule Protection Details


Description:		Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg or inline with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.

Impact:		An attacker could exploit this vulnerability to have unspecified effect.

Affected OS:		Windows, Linux, Others

Reference:		https://nvd.nist.gov/vuln/detail/CVE-2025-31125 https://nvd.nist.gov/vuln/detail/CVE-2025-31486

Solutions

Refer to the announcement or patch by the vendor: https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8