Actively Exploited Vite Vitejs Vulnerability (CVE-2025-31125)

Key facts: vitejs data breach

• Date reported: January 23, 2026.

• Vulnerability: CVE-2025-31125 (improper access control).

• Affected software: Vite versions prior to 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

• Impact: Unauthorized reading of arbitrary files from the server's filesystem.

• Severity: Rated as medium (CVSS 5.3) by the vendor, though added to CISA's Known Exploited Vulnerabilities catalog on January 22, 2026.

• Exploitation condition: Only affects development servers explicitly exposed to the network (via --host or server.host config).

What happened in the vitejs data breach?

vitejs (vite.dev) reported a security incident involving a data leak on January 23, 2026. No specific threat actor has been named in the report as being responsible for the underlying vulnerability discovery, though the flaw is reportedly being exploited in the wild.

The incident involves CVE-2025-31125, an improper access control flaw in Vite that allows unauthorized exposure of sensitive files. By bypassing server.fs.deny configurations through specific query parameters like ?inline&import or ?raw&import, attackers can access files that should be restricted. This vulnerability is classified with an informational severity level, though it was recently added to the CISA Known Exploited Vulnerabilities catalog. Such vulnerabilities could lead to unauthorized data access or broader system compromise if left unaddressed.

Who is behind the incident?

The attacker or cause of the incident has not been identified. However, security researchers noted that the vulnerability was first disclosed in March 2025, and its recent inclusion in the CISA KEV catalog indicates that threat actors have begun actively leveraging this bypass against exposed development environments in early 2026.

Impact and risks for vitejs customers

For users of the affected software, there is a risk of sensitive file exposure, which could include configuration files, source code, or internal credentials. This could lead to further exploitation, such as unauthorized access to internal systems, credential abuse, or identity theft. Users should be aware that if their development server is exposed to the network via specific settings, their data might be at risk.

Typical outcomes of such flaws include unauthorized data disclosure; users should update to patched versions immediately and restrict network access to development servers. Ensuring transparency in these disclosures helps the community respond quickly and effectively to emerging threats.

Frequently asked questions

What happened in the vitejs security breach?

On January 23, 2026, it was confirmed that a file-read vulnerability in Vite (CVE-2025-31125) is being exploited in the wild. The flaw allows attackers to bypass file-access restrictions and read arbitrary files from a developer's machine by using manipulated query parameters in a browser request.

When did the vitejs breach occur?

While the vulnerability was originally patched in March 2025, active exploitation surfaced in January 2026. CISA added the flaw to its "Known Exploited" list on January 22, 2026, signaling an immediate threat to organizations running unpatched development servers.

What data was exposed?

The data exposed depends on the files stored in the project directory and the broader filesystem. Attackers can potentially read sensitive source code, .env files containing API keys or secrets, and system configuration files if the Vite dev server is running with sufficient permissions and is exposed to the network.

Is my personal information at risk?

If you are a developer using Vite and have exposed your dev server to a public or untrusted network (using the --host flag), your local files and project secrets could be at risk. This information is often used by attackers to gain a foothold in corporate networks or steal intellectual property.

How can I protect myself from the vitejs data breach?

Follow these guidelines:

• Update Vite to patched versions (6.2.4, 6.1.3, 6.0.13, 5.4.16, or 4.5.11).
• Restrict development server access by avoiding the --host flag on untrusted networks.
• Change passwords and rotate API keys if you suspect .env files were accessed.
• Use breach monitoring tools to track potential data leaks originating from your development environment.

What steps should companies take after being impacted by the vitejs data breach?

Organizations should prioritize the remediation of CVE-2025-31125 by updating to patched versions, notify affected internal parties, provide guidance on protective actions, review network security measures, and deploy attack surface management to identify exposed dev environments.