MEDIUM🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-31125

CVSS 5.3v3.1pub. 2025-03-31upd. 2026-01-23

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
  • Vitejs Vite

    APP
    Vitejs
    < 4.5.115.0.0 – 5.4.16 (bez)6.0.0 – 6.0.13 (bez)6.1.0 – 6.1.3 (bez)6.2.0 – 6.2.4 (bez)

CISA KEV — detailsi

Vendori
Vite
Producti
Vitejs
Added to KEVi
January 22, 2026
Remediation deadline (US Federal)i
February 12, 2026(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 12 lutego 2026
CWE
References

Related vulnerabilities

CVE-2026-53571HIGH8.2ten sam produkt

Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files ...

CVE-2026-39363HIGH8.2ten sam produkt

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is po...

CVE-2026-39364HIGH8.2ten sam produkt

Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev ser...

CVE-2024-23331HIGH7.5ten sam produkt

Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypass...

CVE-2023-34092HIGH7.5ten sam produkt

Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server O...