CVE-2025-31125 - Vite Vitejs Improper Access Control Vulnerability

基本資訊

CVE ID: CVE-2025-31125
廠商/專案: Vite
受影響產品: Vitejs
漏洞類型: Improper Access Control (CWE-284, CWE-200)
CISA 收錄日期: 2026-01-22
CISA 修補期限: 2026-02-12

漏洞描述

Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

利用狀態

已知被利用: 是（CISA KEV 收錄）
勒索軟體攻擊活動: Unknown
利用難度: 中等
影響範圍: 僅限於將 Vite 開發伺服器暴露至網路的應用程式

技術細節

攻擊向量: 透過特殊構造的 URL 參數（?inline&import 或 ?raw?import）存取未授權檔案
受影響條件:
- 應用程式必須使用 --host 參數或 server.host 配置選項將 Vite 開發伺服器暴露至網路
- 預設僅監聽 localhost 的配置不受影響
CWE 分類:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-284: Improper Access Control

修補建議

官方建議: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
修補連結:
- https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949
- https://nvd.nist.gov/vuln/detail/CVE-2025-31125

參考資料

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
GitHub Commit: https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-31125

備註

This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. Organizations using Vite in development environments exposed to networks should prioritize patching before the CISA deadline of 2026-02-12.