Vite Dev Server Exposes Six Filesystem Bypass Vulnerabilities (CVE-2025-32395 et al.)

The Vite development server contains six distinct filesystem bypass vulnerabilities, allowing unauthorized access to sensitive files on a developer's machine. These CVEs, including CVE-2025-32395 and CVE-2025-31125, all circumvent the `server.fs.deny` protection mechanism. The risk is specific to the development environment: when a developer runs the dev server (e.g., `pnpm start`) and exposes it to the network using the `--host` flag, an attacker on that network can exploit these flaws to read protected files.

These vulnerabilities enable attackers to access critical files such as `.env` files containing secrets, SSL certificates, and other system files that should be restricted. The attack vectors vary, with one involving an invalid `request-target` containing a `#` character to bypass deny rules. While the vulnerabilities are rated as Moderate severity with a CVSS score of 6.0, their impact on developer security and intellectual property is significant. The flaws are present in `[email protected]` and have been patched in version 5.4.18.

For projects like AgentPlex that depend on this vulnerable version as a devDependency, the immediate action is to upgrade. The exposure is limited to the development phase and does not affect end-users of a packaged application. However, this incident highlights the persistent security challenges in modern build toolchains and the risks of exposing development servers, which are often treated as trusted internal components.