CVE-2025-59427
LOWCloudflare Vite Plugin < 1.6.0 - Unauthenticated Exposure of Sensitive Information via Local Dev Server
Title source: llmDescription
The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as .env and .dev.vars. This vulnerability is fixed in 1.6.0.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-4pfg-2mw5-f8jx
Patch x_refsource_misc
https://github.com/cloudflare/workers-sdk/commit/0e500720bf70016fa4ea21fc8959c4bd764ebc38
Third Party Advisory x_refsource_misc
https://hackerone.com/reports/3117837
Various Sources x_refsource_misc
https://github.com/cloudflare/workers-sdk/discussions/3455#discussioncomment-6165773
Scores
CVSS v4
2.9
EPSS
0.0036
EPSS Percentile
27.5%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
cloudflare/vite-plugin
0 - 1.6.0npm
cloudflare/workers-sdk
< 1.6.0
Published
Sep 19, 2025
Tracked Since
Feb 18, 2026