What happened

CISA added CVE-2025-31125 to the Known Exploited Vulnerabilities catalog on 2026-01-22, signaling observed in-the-wild exploitation of this flaw CISA KEV. The vulnerability impacts the Vite development server (“Vite Vitejs”), where improper access control allows exposure of non-allowed file contents using query parameters like ?inline with import or ?raw with import NVD entry. Critically, only applications that explicitly expose the Vite dev server to the network using the --host CLI option or the server.host configuration option are affected CISA KEV. CISA classifies it under CWE-200 (Information Exposure) and CWE-284 (Improper Access Control), aligning with the described data-leak behavior NVD entry.

CISA’s required action is to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable, with a due date of 2026-02-12 for federal agencies CISA KEV. The CVE record is tracked by MITRE, confirming the identifier and affected component context MITRE CVE.

Why it matters

Inclusion in the KEV catalog means exploitation has been observed and remediation is mandated for U.S. federal civilian agencies within CISA’s timelines CISA KEV. Dev servers are frequently spun up in CI, personal workstations, and ad-hoc preview environments; when exposed via --host or server.host, they become reachable to untrusted clients and can leak files explicitly not intended for serving CISA KEV. The mechanism — reading “non-allowed” files via ?inline or ?raw import handling — moves this from “benign dev misconfig” to a concrete data exposure path NVD entry.

CISA also notes this class of issue may affect open-source components reused across different products, compounding downstream risk when frameworks or internal tooling embed the Vite dev server during development or preview deployments CISA KEV. CWE-200/284 mapping underscores that the core impact is unintended disclosure under lax access controls, not code execution — but that’s enough to spill sensitive project artifacts NVD entry.

Technical detail

Vite’s dev server supports import-time query modifiers such as ?raw and ?inline to influence how assets are fetched and inlined during development NVD entry. In the vulnerable condition, an attacker can request content of files that the server’s normal allowlist or routing would not serve, by leveraging these query parameters in combination with import semantics (?inline&import or ?raw?import) CISA KEV. This results in exposure of “non-allowed” files — information disclosure consistent with CWE-200 and enforced access control failure consistent with CWE-284 NVD entry.

Scope is explicitly limited to cases where the Vite dev server is intentionally exposed beyond localhost using --host or the server.host configuration option, which opens the service to network clients that can issue such crafted requests CISA KEV. If the dev server is not exposed to the network, the attack surface is materially reduced since unauthenticated external access is blocked by reachability rather than application-layer checks CISA KEV.

The CVE entry is maintained in NVD and mirrors the vulnerability classification and affected component, enabling downstream tooling to track exposure and remediation status across inventories NVD entry. MITRE’s record confirms the identifier and supports correlation across advisories and vendor notes MITRE CVE.

Defense

Immediate step: do not expose the Vite dev server to untrusted networks; avoid using --host or server.host unless strictly necessary and constrained by network policy CISA KEV. If exposure is required, fence it with strict access controls (IP allowlists, VPN) and treat it as a sensitive service subject to rapid remediation CISA KEV. Apply vendor-provided mitigations and follow CISA’s BOD 22-01-aligned guidance; if mitigations are unavailable, plan to discontinue use per the KEV directive CISA KEV.

Hunting and detection:

• Log and alert on requests hitting Vite dev endpoints containing ?raw or ?inline combined with import semantics (?inline&import or ?raw?import), which are part of the described exploit path CISA KEV.
• Inventory for any dev servers reachable from outside developer workstations or CI runners, and restrict or decommission them promptly per the KEV due date (2026-02-12 for agencies) CISA KEV.
• Track the CVE across asset management and SBOM systems using the NVD reference to ensure consistent remediation state and policy enforcement NVD entry.

Programmatic governance:

• Enforce CI/CD guardrails that prevent dev servers from being launched with network exposure flags by default, aligning with the KEV’s affected-configuration scope CISA KEV.
• Include this CVE in exception reviews and risk registers given its known-exploited status, prioritizing closure within mandated timelines CISA KEV.

Lyrie Verdict

This is a low-friction data-harvest vector tailor-made for autonomous adversaries: enumerate exposed dev servers, spray crafted ?raw/?inline import requests, and siphon files at scale CISA KEV. Lyrie instruments machine-speed detections keyed to exploitation semantics — HTTP requests containing the Vite-specific ?inline&import or ?raw?import patterns against dev endpoints, correlated with host exposure flags like --host/server.host observed in process and config telemetry — to auto-isolate and kill sessions before bulk exfil completes NVD entry. Inclusion in KEV provides the policy trigger; Lyrie converts it into autonomous guardrails so rogue AI agents cannot turn incidental dev exposure into systematic leakage CISA KEV.