#VU112049 Improper access control in Vite - CVE-2025-31486
Published: June 30, 2025
Vulnerability identifier: #VU112049
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-31486
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Vite
Vite
Software vendor:
Vite
Vite
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.
Remediation
Install updates from vendor's website.