Summary
| Vulnerability Name | Vite Access Control Bypass (CVE-2025-30208) |
| Released on | March 27, 2025 |
Affected Component | Vite |
| Affected Versions | 6.2.0 ≤ Vite ≤ 6.2.2 6.1.0 ≤ Vite ≤ 6.1.1 6.0.0 ≤ Vite ≤ 6.0.11 5.0.0 ≤ Vite ≤ 5.4.14 Vite ≤ 4.5.9 |
| Vulnerability Type | Access control bypass |
| Exploitation Condition |
|
| Impact | Exploitation difficulty: easy. This vulnerability enables attackers to access resources without authorization. Severity: medium. This vulnerability may result in sensitive information leakage and unauthorized access. |
| Official Solution | Available |
About the Vulnerability
Component Introduction
Vite is a modern frontend development tool that leverages the import capabilities of the ES module in a browser to provide quick server development and construction performance. Vite aims to optimize the development experience and enhance the development efficiency through technologies such as instant module replacement (HMR).
Vulnerability Description
On April 01, 2025, Sangfor FarSight Labs received notification of the arbitrary file read vulnerability in Vite (CVE-2025-31125), classified as medium in threat level.
Unauthorized attackers can exploit this vulnerability to construct malicious HTTP requests to access any file as needed. Consequently, sensitive information leakage may be caused.
Affected Versions
The following Vite versions are affected:
Vite ≤ 4.5.10
5.0.0 ≤ Vite ≤ 5.4.15
6.0.0 ≤ Vite ≤ 6.0.12
6.1.0 ≤ Vite ≤ 6.1.2
6.2.0 ≤ Vite ≤ 6.2.3
Vulnerability Reproduction
Sangfor FarSight Labs has reproduced this vulnerability.
Solutions
Remediation Solutions
Official Solution
The latest version has been officially released to fix the vulnerability. Affected users are advised to update the Vite server to the following versions:
Vite 6.2.4
Vite 6.1.3
Vite 6.0.13
Vite 5.4.16
Vite 4.5.11
Download link: https://github.com/vitejs/vite/releases
Sangfor Solutions
Risky Asset Discovery
The following Sangfor services can conduct proactive detection on Vite to discover affected assets in batches in business scenarios:
Sangfor Host Security: The corresponding asset discovery solution has been released. The fingerprint ID is 0032127.
Sangfor TSS: The corresponding asset discovery solution has been released. The fingerprint ID is 0032127.
Vulnerability Detection
The following Sangfor services can proactively detect CVE-2025-31125 vulnerabilities and quickly identify vulnerability risks in batches in business scenarios:
Sangfor Host Security: The corresponding detection solution will be released on April 06, 2025. The rule ID is SF-2025-00365.
Sangfor TSS: The corresponding detection solution will be released on April 07, 2025. The rule ID is SF-2025-00994.
Sangfor Cyber Guardian Platform: The corresponding detection solution will be released on April 07, 2025. The rule ID is SF-2025-00994. In this case, make sure that Sangfor Cyber Guardian Platform is integrated with Sangfor TSS.
Sangfor XDR: The corresponding detection solution will be released on April 06, 2025. The rule ID is SF-2025-00365. In this case, make sure that Sangfor XDR is integrated with Sangfor Host Security.
Vulnerability Monitoring
The following Sangfor services support CVE-2025-31125 vulnerability monitoring, and can quickly identify affected assets and the impact scope in business scenarios in real time through traffic collection:
Cyber Command: The corresponding monitoring solution will be released on April 11, 2025. The rule ID is 11027472.
Sangfor Cyber Guardian Platform: The corresponding monitoring solution will be released on April 11, 2025. The rule ID is 11027472. In this case, make sure that Sangfor Cyber Guardian Platform is integrated with Cyber Command.
Sangfor XDR: The corresponding monitoring solution will be released on April 11, 2025. The rule ID is 11027472.
Vulnerability Prevention
The following Sangfor services can effectively block CVE-2025-31125 exploits:
Network Secure: The corresponding prevention solution will be released on April 11, 2025. The rule ID is 11027472.
Sangfor Web Application Firewall: The corresponding prevention solution will be released on April 11, 2025. The rule ID is 11027472.
Sangfor Cyber Guardian Platform: The corresponding prevention solution will be released on April 11, 2025. The rule ID is 11027472. In this case, make sure that Sangfor Cyber Guardian Platform is integrated with Network Secure.
Sangfor XDR: The corresponding prevention solution will be released on April 11, 2025. The rule ID is 11027472. In this case, make sure that Sangfor XDR is integrated with Network Secure.
Timeline
On April 01, 2025, Sangfor FarSight Labs received notification of the arbitrary file read vulnerability in Vite (CVE-2025-31125).
On April 01, 2025, Sangfor FarSight Labs released a vulnerability alert.
References
https://github.com/advisories/GHSA-4r4m-qw57-chr8
Learn More
Sangfor FarSight Labs researches the latest cyber threats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyber threats, providing fast and easy protection for customers.
