CVE-2025-31125

CVE-2025-31125: Vite Dev Server Improper Access Control

Initial Access Discovery Collection Last updated:

Detects exploitation of CVE-2025-31125, an improper access control vulnerability in Vite (Vitejs) dev server. The vulnerability allows unauthorized access to sensitive files outside the intended serve root, classified under CWE-200 (Information Exposure) and CWE-284 (Improper Access Control). This vulnerability is listed in CISA KEV, indicating active exploitation in the wild.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Vite
Product
Vitejs

Weakness (CWE)

CWE-200CWE-284

Timeline

Disclosed
January 22, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2025-31125 CVE-2025-31125: Vite Dev Server Improper Access Control?

CVE-2025-31125: Vite Dev Server Improper Access Control (CVE-2025-31125) maps to the Initial Access and Discovery and Collection tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2025-31125: Vite Dev Server Improper Access Control, covering the data sources and telemetry it touches: IIS Logs, Web Application Firewall Logs, Azure Application Gateway, Network Proxy Logs. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Discovery Collection
Microsoft Sentinel / Defender
kusto 
union DeviceNetworkEvents, DeviceFileEvents, W3CIISLog
| where TimeGenerated > ago(7d)
| where (
    (csUriStem contains "/@fs/" and (csUriStem contains ".." or csUriStem contains "%2e%2e" or csUriStem contains "/etc/" or csUriStem contains "/proc/" or csUriStem contains "/.env" or csUriStem contains "/passwd"))
    or (csUriStem contains "/__vite_ping" and csMethod =~ "GET")
    or (csUriStem matches regex @"/@fs/[a-zA-Z]:[\\/]" )
    or (csUriStem contains "/@fs/" and csUriStem !startswith "/@fs/" + csUriStem)
)
| extend SuspiciousPath = csUriStem, ClientIP = cIP, RequestMethod = csMethod
| project TimeGenerated, SuspiciousPath, ClientIP, RequestMethod, csHost, scStatus, csUserAgent
| order by TimeGenerated desc

Detects HTTP requests to Vite dev server endpoints that attempt path traversal or unauthorized file system access via the /@fs/ route, which is characteristic of CVE-2025-31125 exploitation.

high severity medium confidence

Data Sources

IIS Logs Web Application Firewall Logs Azure Application Gateway Network Proxy Logs

Required Tables

W3CIISLog DeviceNetworkEvents AzureDiagnostics

False Positives

  • Legitimate Vite dev server usage with /@fs/ paths for valid module resolution during development
  • Security scanners and vulnerability assessment tools probing for the vulnerability
  • Developers testing path resolution in non-production Vite environments
  • Automated CI/CD pipelines that access Vite dev server during build processes

Sigma rule & cross-platform mapping

The detection logic for CVE-2025-31125: Vite Dev Server Improper Access Control (CVE-2025-31125) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2025-31125 Sigma rules on detection.fyi

Platform-specific guides for CVE-2025-31125

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Vite /@fs/ Path Traversal to Read /etc/passwd

    Expected signal: HTTP GET request to /@fs/etc/passwd and variants logged in web server access logs; Node.js process accessing /etc/passwd on the file system; network connection from test host to port 5173

  2. Test 2Vite Dev Server Environment File Extraction

    Expected signal: HTTP requests to /@fs/ with absolute paths to .env files; file system read events on .env and config files; response body containing environment variable content if successful

  3. Test 3Automated CVE-2025-31125 Exploitation Scan

    Expected signal: Rapid sequential HTTP GET requests to /@fs/ endpoint with multiple sensitive path targets; consistent source IP across all requests; mix of 200 and 403 response codes; elevated request rate to Vite dev server port

Unlock Pro Content

Get the full detection package for CVE-2025-31125 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0007DiscoveryTA0009Collection

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1005Data from Local System

Same Tactic: Initial Access

Popular Detections