What is CVE-2025-32395?

CVE-2025-32395 is a vulnerability in Vitejs Vite, classified under Information Disclosure. Published 2025-04-10.

Is CVE-2025-32395 known to be exploited?

9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Information disclosure in Vitejs Vite

CVE-2025-32395

Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) do…

Vulnerability class: Information Disclosure

EPSS: 0.032 (87.2th percentile) — read the EPSS interpretation.

Affected products

Vitejs Vite — versions >= 6.2.0, < 6.2.6, >= 6.1.0, < 6.1.5, >= 6.0.0, < 6.0.15

Weakness classification (CWE)

CWE-200 — Information Disclosure

Public proof-of-concept exploits

References

https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4 (x_refsource_CONFIRM)
https://github.com/vitejs/vite/commit/175a83909f02d3b554452a7bd02b9f340cdfef70 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-32395?: CVE-2025-32395 is a vulnerability in Vitejs Vite, classified under Information Disclosure. Published 2025-04-10.
Is CVE-2025-32395 known to be exploited?: 9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.