CVE-2025-31486

MEDIUM NUCLEI

Vite server.fs.deny Bypass - Local File Inclusion

Title source: nuclei

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-31486. PoCs published by Ly4j, iSee857, hackmelocal. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits an arbitrary file read vulnerability in Vite SSR by crafting specific path traversal payloads to leak sensitive files like /etc/passwd or C:\windows\win.ini. It validates the leaked content using base64 decoding and pattern matching.

Description

Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.

Exploits (4)

nomisec WORKING POC 6 stars

by Ly4j · poc

https://github.com/Ly4j/CVE-2025-31486

View Code ZIP pw:eip

This PoC exploits an arbitrary file read vulnerability in Vite SSR by crafting specific path traversal payloads to leak sensitive files like /etc/passwd or C:\windows\win.ini. It validates the leaked content using base64 decoding and pattern matching.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Vite SSR (version not specified)

No auth needed

Prerequisites: Target running vulnerable Vite SSR instance · Network access to the target

MITRE ATT&CK

T1005 - Data from Local System T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 6 stars

by iSee857 · poc

https://github.com/iSee857/CVE-2025-31486-PoC

View Code ZIP pw:eip

This repository contains a Python-based scanner for CVE-2025-31486, a path traversal vulnerability in Vite.js. The script checks for the presence of the vulnerability by sending crafted requests to target URLs and analyzing responses for indicators of successful exploitation.

Classification

Working Poc | Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Vite.js (version not specified)

No auth needed

Prerequisites: Target URL or list of URLs · Network access to the target

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by hackmelocal · poc

https://github.com/hackmelocal/CVE-2025-31486-Simulation

View Code ZIP pw:eip

This repository provides a containerized lab environment to simulate and exploit CVE-2025-31486, a path traversal vulnerability in Vite's development server. The exploit allows reading arbitrary files by bypassing security checks via crafted URLs.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Vite (older versions)

No auth needed

Prerequisites: Vulnerable Vite version · Exposed dev server with --host flag · File size < 4KB (default inline limit)

MITRE ATT&CK

T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by ll104567 · poc

https://github.com/ll104567/CVE-2025-31486

View Code ZIP pw:eip

This PoC demonstrates an arbitrary file read vulnerability in Vite SSR by exploiting path traversal and improper input validation. It attempts to read sensitive files (e.g., /etc/passwd, C:\windows\win.ini) via crafted payloads and validates the response content.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Vite SSR (version not specified)

No auth needed

Prerequisites: Target URL with Vite SSR running · Network access to the target

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Apr 28, 2026 Full analysis →

Nuclei Templates (1)

Vite server.fs.deny Bypass - Local File Inclusion

MEDIUMVERIFIEDby wn147

Shodan: title:"Vite App"

FOFA: title="Vite App"

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x

Patch x_refsource_misc

https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647

View Patch ZIP pw:eip

Various Sources x_refsource_misc

https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290

View Writeup ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0474

EPSS Percentile 89.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-200 CWE-284

Status published

Products (6)

npm/vite 6.2.0 - 6.2.5npm

vitejs/vite < 4.5.12

vitejs/vite >=5.0.0, < 5.4.17

vitejs/vite >=6.0.0, < 6.0.14

vitejs/vite >=6.1.0, < 6.1.4

vitejs/vite >=6.2.0, < 6.2.5

Published Apr 03, 2025

Tracked Since Feb 18, 2026