CVE-2025-59427
BaseFortify
Publication date: 2025-09-19
Last updated on: 2025-09-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cloudflare | vite_plugin | 1.6.0 |
| cloudflare | workers_sdk | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Cloudflare Vite plugin when used in its default configuration. The local development server exposes all files, including those in the root directory that may contain sensitive information such as .env and .dev.vars files. This exposure can lead to unintended disclosure of secret information.
How can this vulnerability impact me? :
The vulnerability can lead to the exposure of secret or sensitive information stored in configuration files like .env and .dev.vars. This could allow unauthorized parties to access secrets such as API keys, credentials, or other sensitive data, potentially compromising the security of your application or environment.
What immediate steps should I take to mitigate this vulnerability?
Update the Cloudflare Vite plugin to version 1.6.0 or later, as this version fixes the vulnerability that exposes secret files via the local dev server. Additionally, review your local development server configuration to ensure that sensitive files such as .env and .dev.vars are not exposed.