CVE-2025-32395 Overview
CVE-2025-32395 is an information disclosure vulnerability in Vite, a popular frontend tooling framework for JavaScript. The vulnerability allows attackers to bypass the server.fs.deny security control and read arbitrary files from the development server when it is exposed to the network and running on Node.js or Bun runtimes.
The flaw stems from improper handling of HTTP requests containing the # character in the request target. While HTTP 1.1 (RFC 9112) and HTTP 2 specifications do not allow # in request-target and recommend rejecting such requests with 400 or 301 status codes, Node.js and Bun pass these malformed requests to user land code without rejection. Vite's security check assumed req.url would never contain #, allowing attackers to craft requests that bypass the file system access restrictions.
Critical Impact
Attackers can read sensitive configuration files, environment variables, source code, and other confidential data from development servers exposed to the network.
Affected Products
- Vite versions prior to 6.2.6
- Vite versions prior to 6.1.5
- Vite versions prior to 6.0.15
- Vite versions prior to 5.4.18
- Vite versions prior to 4.5.13
Discovery Timeline
- 2025-04-10 - CVE-2025-32395 published to NVD
- 2025-04-11 - Last updated in NVD database
Technical Details for CVE-2025-32395
Vulnerability Analysis
This vulnerability falls under the CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) category. The security issue exists in how Vite processes incoming HTTP requests when validating file access against the server.fs.deny configuration.
Vite's development server includes a security feature (server.fs.deny) that restricts which files can be served to clients. However, the validation logic did not account for the possibility that req.url could contain the # fragment identifier character. On Node.js and Bun runtimes, HTTP requests with invalid request-lines containing # are not rejected at the HTTP parsing layer and instead propagate to the application code with the # character intact in http.IncomingMessage.url.
This behavior creates a security bypass where an attacker can craft HTTP requests that include # in the request target to evade Vite's file path validation, ultimately gaining access to files that should be restricted by server.fs.deny.
Root Cause
The root cause is an assumption in Vite's request URL validation logic that the req.url value would never contain the # character. This assumption is based on HTTP specification requirements, but fails to account for runtime-specific behavior where Node.js and Bun do not reject these malformed requests at the HTTP protocol layer. The discrepancy between specification requirements and actual runtime behavior creates a validation bypass vulnerability.
Attack Vector
The attack requires network access to the Vite development server. An attacker can exploit this vulnerability by:
- Identifying a Vite development server exposed to the network (using --host flag or server.host configuration)
- Crafting HTTP requests with # characters in the request target to bypass server.fs.deny validation
- Requesting sensitive files such as .env files, configuration files, or source code
- Receiving the contents of restricted files in the HTTP response
The vulnerability specifically affects servers running on Node.js or Bun runtimes. Deno-based deployments are not affected as Deno properly rejects these malformed HTTP requests.
The malicious request exploits the discrepancy between HTTP specification requirements and the actual behavior of Node.js and Bun HTTP parsing. By including a # character in the request path, attackers can manipulate how Vite's server.fs.deny check processes the file path, causing it to fail validation while the underlying file system operation succeeds.
Detection Methods for CVE-2025-32395
Indicators of Compromise
- HTTP access logs showing unusual requests with # characters in URLs targeting sensitive file paths
- Requests attempting to access files like .env, package.json, or files outside the expected web root
- Unexpected file read operations on the development server from external IP addresses
- Network connections to development server ports (typically 5173) from untrusted sources
Detection Strategies
- Implement network monitoring for HTTP requests containing # characters in the request-target
- Configure web application firewalls to alert on or block requests with malformed URL patterns
- Review development server access logs for requests targeting sensitive files or directories
- Monitor for unusual outbound data transfers from development environments
Monitoring Recommendations
- Enable verbose logging on Vite development servers when exposed to any network
- Implement file integrity monitoring on sensitive configuration files in development environments
- Set up alerts for any external access attempts to development server ports
- Review network segmentation to ensure development servers are not unnecessarily exposed
How to Mitigate CVE-2025-32395
Immediate Actions Required
- Update Vite to one of the patched versions: 6.2.6, 6.1.5, 6.0.15, 5.4.18, or 4.5.13
- Avoid exposing Vite development servers to untrusted networks until patched
- Remove --host flag or server.host configuration if network exposure is not required
- Audit access logs for any signs of exploitation attempts
Patch Information
The vulnerability has been fixed in multiple Vite versions across different release branches. The fix is available in the GitHub commit 175a8390. Organizations should update to the following patched versions based on their current branch:
| Current Branch | Patched Version |
|---|---|
| 6.2.x | 6.2.6 |
| 6.1.x | 6.1.5 |
| 6.0.x | 6.0.15 |
| 5.4.x | 5.4.18 |
| 4.5.x | 4.5.13 |
For complete technical details and additional context, refer to the GitHub Security Advisory GHSA-356w-63v5-8wf4.
Workarounds
- Bind Vite development server to localhost only (remove --host flag and server.host configuration)
- Use a reverse proxy with request validation to filter malformed HTTP requests before they reach Vite
- Run the development server on Deno runtime which properly rejects these malformed requests
- Implement network-level access controls to restrict who can reach the development server
# Configuration example
# Remove network exposure from vite.config.js
# Before (vulnerable if running on Node/Bun):
# export default {
# server: {
# host: true
# }
# }
# After (secure - localhost only):
export default {
server: {
host: false # or remove the host option entirely
}
}
# Update Vite to patched version
npm update vite
# or
yarn upgrade vite
# or
pnpm update vite
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
