Detections
Analytics
Vite < 4.5.11 / 5.0.x < 5.4.16 / 6.0.x < 6.0.13 / 6.1.x < 6.1.3 / 6.2.x < 6.2.4 Arbitrary File Read
medium Web App Scanning Plugin ID 115120
Language:
Synopsis
Vite < 4.5.11 / 5.0.x < 5.4.16 / 6.0.x < 6.0.13 / 6.1.x < 6.1.3 / 6.2.x < 6.2.4 Arbitrary File ReadDescription
Vite version prior to 4.5.11, 5.0.x prior to 5.4.16, 6.0.x prior to 6.0.13, 6.1.x prior to 6.1.3 or 6.2.x prior to 6.2.4 are affected by a vulnerability allowing unauthenticated remote attackers to read arbitrary files on the affected host when the app is exposing the Vite dev server to the network.Solution
Upgrade to Vite 4.5.11, 5.4.16, 6.0.13, 6.1.3, 6.2.4 or later.See Also
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8
Plugin Details
Severity: Medium
ID: 115120
Type: remote
Family: Component Vulnerability
Published: 1/28/2026
Updated: 1/28/2026
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 5.1
CVSS v2
Risk Factor: High
Base Score: 7.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N
CVSS Score Source: CVE-2025-31125
CVSS v3
Risk Factor: High
Base Score: 7.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score Source: CVE-2025-31125
CVSS v4
Risk Factor: Medium
Base Score: 6
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score Source: Tenable
Vulnerability Information
CPE: cpe:2.3:a:vitejs:vite:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 4/10/2025
Vulnerability Publication Date: 3/25/2025
CISA Known Exploited Vulnerability Due Dates: 2/12/2026
Reference Information
CVE: CVE-2025-31125
OWASP: 2010-A6, 2010-A8, 2013-A5, 2013-A7, 2013-A9, 2017-A5, 2017-A6, 2017-A9, 2021-A1, 2021-A6
WASC: Information Leakage, Insufficient Authorization
CAPEC: 116, 13, 169, 19, 22, 224, 285, 287, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 312, 313, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 441, 472, 478, 479, 497, 502, 503, 508, 536, 546, 550, 551, 552, 556, 558, 562, 563, 564, 573, 574, 575, 576, 577, 578, 59, 60, 616, 643, 646, 651, 79
DISA STIG: APSC-DV-000460, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3, sp800_53-CM-6b, sp800_53-SI-15
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-1.4.2, 4.0.2-14.2.1, 4.0.2-8.3.4