CVE-2025-32395

MEDIUM NUCLEI

NPM Vite < 6.2.6 - Information Disclosure

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-32395. PoCs published by iSee857, ruiwenya. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2026-22812, targeting OpenCode with a command execution vulnerability. The script sends a crafted JSON payload to the '/session/{id}/shell' endpoint to execute the 'id' command, verifying RCE by checking for 'uid=' and 'gid=' in the response.

Description

Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2. On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) and running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) are affected. This vulnerability is fixed in 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13.

Exploits (2)

github WORKING POC 40 stars
by iSee857 · pythonpoc
https://github.com/iSee857/CVE-PoC/tree/main/Vite-CVE-2025-32395-ReadAnyFile.py

The repository contains a functional exploit for CVE-2026-22812, targeting OpenCode with a command execution vulnerability. The script sends a crafted JSON payload to the '/session/{id}/shell' endpoint to execute the 'id' command, verifying RCE by checking for 'uid=' and 'gid=' in the response.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenCode (version not specified)
No auth needed
Prerequisites: Network access to the target · OpenCode service running and accessible
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ruiwenya · poc
https://github.com/ruiwenya/CVE-2025-32395

This PoC exploits a path traversal vulnerability (CVE-2025-32395) in Vite by leveraging the /@fs endpoint to access arbitrary files (e.g., /etc/passwd or Windows/win.ini). It includes logic to handle both Linux and Windows targets and supports proxy usage.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Vite (version not specified)
No auth needed
Prerequisites: Target must expose the /@fs endpoint · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Vite - Path Traversal
MEDIUMVERIFIEDby ChrisJr404
Shodan: http.html:"/@vite/client"
FOFA: body="/@vite/client"

References (2)

Core 2

Scores

CVSS v4 6.0
EPSS 0.0317
EPSS Percentile 87.3%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-200
Status published
Products (6)
npm/vite 6.2.0 - 6.2.6npm
vitejs/vite < 4.5.13
vitejs/vite >= 5.0.0, < 5.4.18
vitejs/vite >= 6.0.0, < 6.0.15
vitejs/vite >= 6.1.0, < 6.1.5
vitejs/vite >= 6.2.0, < 6.2.6
Published Apr 10, 2025
Tracked Since Feb 18, 2026