Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-31125

Опубликовано: 31 мар. 2025
Источник: redhat
CVSS3: 5.3

Описание

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

A flaw was found in the Vite Node.js package. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using the --host or server.host config options) are affected.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Automation Platform 2automation-controllerFix deferred
Red Hat Ansible Automation Platform 2automation-eda-controllerFix deferred
Red Hat Ansible Automation Platform 2automation-gatewayFix deferred
Red Hat JBoss Enterprise Application Platform 8org.keycloak-keycloak-parentFix deferred
Red Hat JBoss Enterprise Application Platform Expansion Packorg.keycloak-keycloak-parentFix deferred
Red Hat OpenShift distributed tracing 3rhosdt/tempo-gateway-opa-rhel8Fix deferred
Red Hat OpenShift distributed tracing 3rhosdt/tempo-gateway-rhel8Fix deferred
Red Hat OpenShift distributed tracing 3rhosdt/tempo-jaeger-query-rhel8Fix deferred
Red Hat OpenShift distributed tracing 3rhosdt/tempo-query-rhel8Fix deferred
Red Hat OpenShift distributed tracing 3rhosdt/tempo-rhel8Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-200
Дефект:
CWE-284
https://bugzilla.redhat.com/show_bug.cgi?id=2356283vite: Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

5.3 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-31125

CVSS3: 5.3
nvd
6 месяцев назад

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

debian логотип

CVE-2025-31125

CVSS3: 5.3
debian
6 месяцев назад

Vite is a frontend tooling framework for javascript. Vite exposes cont ...

github логотип

GHSA-4r4m-qw57-chr8

CVSS3: 5.3
github
6 месяцев назад

Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

5.3 Medium

CVSS3