A newly discovered Vite vulnerability, a widely used frontend development tool, has been assigned the identifier CVE-2025-32395. This flaw affects development servers running in Node or Bun environments and can potentially expose arbitrary file contents to unauthorized users.
CVE-2025-32395 Vite Vulnerability Exposes Sensitive Files
A recent post by a cybersecurity researcher drew attention to a newly identified vulnerability CVE-2025-32395 in Vite, a popular frontend development server. The vulnerability may affect more than 286,000 exposed Vite services worldwide. Despite being described in some places as a Denial of Service flaw, technical evidence confirms that this is more accurately an information disclosure vulnerability.
Vite is a modern front-end development tool designed to provide a fast and efficient development experience for web applications. It features a development server that serves source files over native ES modules, with Hot Module Replacement (HMR) for quick updates, and uses Rollup for production builds.
Vite Arbitrary File Read Vulnerability Details
The vulnerability, tracked as CVE-2025-32395, affects Vite’s development server when running on Node or Bun runtimes and exposed to the network. According to the National Vulnerability Database, the issue allows the contents of arbitrary files to be returned to the browser, bypassing the server.fs.deny configuration. The issue arises from how Vite handles malformed HTTP requests containing the # symbol in the request target.
According to the HTTP/1.1 standard (RFC 9112), the # character is not permitted in the request target and should be rejected by compliant servers. However, when Vite runs on Node or Bun, these platforms do not properly validate or reject such malformed requests. Instead, they pass them through to the application layer, allowing unexpected behavior.
Vite’s internal file-serving mechanism uses the configuration option server.fs.deny to block access to sensitive files. However, when handling requests that contain invalid characters like #, this validation is bypassed. As a result, an attacker can craft a request to access files that should be restricted. These may include environment configuration files, source code, or any other files located outside the permitted directory scope.
Proof of Concept Exploit Released
The flaw instantly got much more dangerous, as a PoC exploit was released to demonstrate the significant potential behind the flaw. Published on GitHub, it shows how an attacker could exploit it to read arbitrary files. The process begins by creating a new Vite project using npm create vite@latest, moving into the project directory, installing dependencies with npm install, and starting the development server with npm run dev.
Once the server is running, the attacker can send a specially crafted HTTP request—for example, using curl –request-target /@fs/../../../../../etc/passwd http://127.0.0.1:5173. This demonstrates that by manipulating the request-target with relative paths and a # character, the attacker can bypass the server.fs.deny restriction and gain access to sensitive files like /etc/passwd. This also confirms the issue as an information disclosure vulnerability, not a denial-of-service problem.
Potential Impact and Risks
Reports suggest a significant number of services may be affected, with claims of over 286,000 services potentially exposed yearly. This statistic likely stems from scans using platforms, which can identify Vite development servers online by searching for patterns like “body=”/@vite/client”” in HTTP responses. Given Vite’s widespread use, especially in development environments, this number seems plausible.
CVE-2025-32395 Flaw Short Description
| Requirements | Malformed HTTP character with “#” symbol in the path. |
| Authentication level | No authentication required. |
| Impact | Bypass of server.fs.deny configuration, arbitrary files read. |
| Affected software | Vite development servers running Node.js/Bun. |
The exposure of development servers to the internet poses a confidentiality risk, as attackers could access sensitive files such as configuration files, source code, API keys, or other confidential data. This is particularly dangerous for applications explicitly configured with –host or server.host options, making them accessible over the network. The impact is less about service disruption and more about unauthorized data access.
Controversy About DoS Attack
Despite the clear classification as an information disclosure vulnerability, some publications have labeled it as a Denial-of-Service attack. A DoS attack typically aims to disrupt service availability, such as by overwhelming the server or causing it to crash. On the other hand, CVE-2025-32395 allows unauthorized file access, which is a confidentiality breach. The confusion may arise from the potential secondary effect: if an attacker sends a large number of requests exploiting this vulnerability, it could lead to resource exhaustion, indirectly causing a denial of service. However, the primary nature of the vulnerability is information disclosure, as confirmed by the NVD and GitHub sources.
Mitigation Strategies & Protection
To mitigate this vulnerability, users should start by updating Vite to one of the fixed versions — 6.2.6, 6.1.5, 6.0.15, 5.4.18, or 4.5.13 — as these versions include a patch that properly blocks invalid requests. It’s also important to make sure the Vite development server isn’t accessible from the public internet. Ideally, it should only be reachable via localhost or be protected behind a firewall within a secure network.
Additionally, users should scan for any unintentional exposure by using search tools. Finally, it’s a good practice to regularly audit server configurations, especially in development environments, to catch anything that might have been accidentally left open.
Nice