CVE-2025-31125

MEDIUM KEV NUCLEI

Vite Development Server - Path Traversal

Title source: nuclei

Exploitation Summary

CVE-2025-31125 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 22, 2026. EIP tracks 5 public exploits from researchers including cybersecplayground, sunhuiHi666, 0xgh057r3c0n. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains detailed technical writeups for multiple CVEs, including command injection, XXE, SQLi, and RCE vulnerabilities. Each writeup includes vulnerability overviews, proof-of-concept details, and mitigation recommendations.

Description

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

Exploits (5)

github WRITEUP 7 stars

by cybersecplayground · poc

https://github.com/cybersecplayground/PoC-and-CVE-Reports/tree/main/2025/CVE-2025-31125.md

View Code ZIP pw:eip

The repository contains detailed technical writeups for multiple CVEs, including command injection, XXE, SQLi, and RCE vulnerabilities. Each writeup includes vulnerability overviews, proof-of-concept details, and mitigation recommendations.

Classification

Writeup 95%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Various (e.g., account_mgr.cgi, Ivanti Connect Secure, Zabbix, Check Point VPN, Bricks Builder)

No auth needed

Prerequisites: Access to vulnerable endpoints · Basic understanding of exploit techniques

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec SCANNER 5 stars

by sunhuiHi666 · infoleak

https://github.com/sunhuiHi666/CVE-2025-31125

View Code ZIP pw:eip

This is a Python-based vulnerability scanner for CVE-2025-31125 that checks for exposed file system paths via specific URLs. It supports single and batch target scanning, with results saved to files.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Unknown (likely a web server or application with improper path handling)

No auth needed

Prerequisites: Network access to the target · Target must be vulnerable to the specific path traversal

MITRE ATT&CK

T1119 - Automated Collection T1082 - System Information Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by 0xgh057r3c0n · infoleak

https://github.com/0xgh057r3c0n/CVE-2025-31125

View Code ZIP pw:eip

This PoC exploits CVE-2025-31125, a path traversal vulnerability in Vite's WASM import handling, to retrieve sensitive files like `/etc/passwd` from vulnerable servers. It sends crafted requests to extract and decode base64-encoded WASM content.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Vite (version not specified)

No auth needed

Prerequisites: Vulnerable Vite server exposed to the internet · Network access to the target

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by harshgupptaa · infoleak

https://github.com/harshgupptaa/Path-Transversal-CVE-2025-31125-

View Code ZIP pw:eip

This is a functional exploit for CVE-2025-31125, a path traversal vulnerability in the Vite development server's @fs endpoint. It crafts URLs to access sensitive files like /etc/passwd and /etc/hosts, decoding base64 responses to retrieve file contents.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Vite Development Server (version not specified)

No auth needed

Prerequisites: Vite development server exposed to the network · Access to the @fs endpoint

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by MuhammadWaseem29 · infoleak

https://github.com/MuhammadWaseem29/Vitejs-exploit

View Code ZIP pw:eip

This PoC exploits a path traversal vulnerability (CVE-2025-31125) in Vite Development Server's @fs endpoint to access sensitive files like /etc/passwd and /etc/hosts via crafted URLs. It sends HTTP requests to the target, checks for base64-encoded responses, and decodes the data.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Vite Development Server (version not specified)

No auth needed

Prerequisites: Target running a vulnerable Vite Development Server · Network access to the target server

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Vite Development Server - Path Traversal

MEDIUMVERIFIEDby martian,ritikchaddha,v2htw

Shodan: title:"Vite App"

FOFA: title="Vite App"

References (3)

Core 3

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8

Patch x_refsource_misc

https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949

View Patch ZIP pw:eip

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31125

Scores

CVSS v3 5.3

EPSS 0.8324

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2026-01-22

VulnCheck KEV 2025-05-30

ENISA EUVD EUVD-2025-8866

CWE

CWE-284 CWE-200

Status published

Products (2)

npm/vite 6.2.0 - 6.2.4npm

vitejs/vite < 4.5.11

Published Mar 31, 2025

KEV Added Jan 22, 2026

Tracked Since Feb 18, 2026