Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2025-31125

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 2 months, 3 weeks ago

Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

References

https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8 x_refsource_CONFIRM
https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949 x_refsource_MISC
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8 exploit
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8 x_refsource_CONFIRM
https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949 x_refsource_MISC
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8 exploit
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025… government-resource
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8 x_refsource_CONFIRM
https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949 x_refsource_MISC
https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8 exploit
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025… government-resource

Affected products

vite

==>= 5.0.0, < 5.4.16
==< 4.5.11
==>= 6.0.0, < 6.0.13
==>= 6.2.0, < 6.2.4
==>= 6.1.0, < 6.1.3

Matching in nixpkgs

pkgs.vite

Visual Trace Explorer (ViTE), a tool to visualize execution traces

nixos-unstable 2022-05-17
- nixpkgs-unstable 2022-05-17
- nixos-unstable-small 2022-05-17
nixos-25.11 1.4
- nixpkgs-25.11-darwin 1.4

pkgs.vitess

Database clustering system for horizontal scaling of MySQL

nixos-unstable 22.0.1
- nixpkgs-unstable 22.0.1
- nixos-unstable-small 22.0.1
nixos-25.11 22.0.1
- nixpkgs-25.11-darwin 22.0.1

pkgs.vitetris

Terminal-based Tetris clone by Victor Nilsson

nixos-unstable 0.59.1
- nixpkgs-unstable 0.59.1
- nixos-unstable-small 0.59.1
nixos-25.11 0.59.1
- nixpkgs-25.11-darwin 0.59.1

pkgs.python312Packages.django-vite

Integration of ViteJS in a Django project

nixos-unstable 3.1.0
- nixpkgs-unstable 3.1.0
- nixos-unstable-small 3.1.0
nixos-25.11 3.1.0
- nixpkgs-25.11-darwin 3.1.0

pkgs.python313Packages.django-vite

Integration of ViteJS in a Django project

nixos-unstable 3.1.0
- nixpkgs-unstable 3.1.0
- nixos-unstable-small 3.1.0
nixos-25.11 3.1.0
- nixpkgs-25.11-darwin 3.1.0

Package maintainers

@sephii Sylvain Fankhauser <sephi@fhtagn.top>
@urandom2 Colin Arnott <colin@urandom.co.uk>
@siers Raitis Veinbahs <veinbahs+nixpkgs@gmail.com>