CVE-2025-31125 Splunk · SPL

Detect CVE-2025-31125: Vite Dev Server Improper Access Control in Splunk

Detects exploitation of CVE-2025-31125, an improper access control vulnerability in Vite (Vitejs) dev server. The vulnerability allows unauthorized access to sensitive files outside the intended serve root, classified under CWE-200 (Information Exposure) and CWE-284 (Improper Access Control). This vulnerability is listed in CISA KEV, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Discovery Collection

SPL Detection Query

Splunk (SPL)
spl 
index=web OR index=proxy OR index=iis sourcetype IN ("iis", "access_combined", "nginx:plus:kv", "apache:access")
| where like(uri_path, "%/@fs/%") OR like(uri_path, "%/__vite%")
| eval suspicious=if(
    match(uri_path, "/@fs/.*(\.\.|\.env|/etc/|/proc/|passwd|shadow|id_rsa)") OR
    match(uri_path, "/@fs/[A-Za-z]:[/\\\\]") OR
    match(uri_path, "%2e%2e"),
    "true", "false")
| where suspicious="true"
| stats count AS request_count, values(uri_path) AS paths, values(src_ip) AS source_ips, dc(src_ip) AS unique_ips, earliest(_time) AS first_seen, latest(_time) AS last_seen BY host, dest_ip
| where request_count > 0
| eval severity=if(request_count > 10, "high", "medium")
| table host, dest_ip, source_ips, unique_ips, request_count, paths, first_seen, last_seen, severity
| sort - request_count
high severity medium confidence

Searches web and proxy logs for requests targeting Vite dev server /@fs/ and /__vite endpoints with path traversal indicators suggesting CVE-2025-31125 exploitation.

Data Sources

Web Server LogsProxy LogsLoad Balancer Logs

Required Sourcetypes

iisaccess_combinednginx:plus:kvapache:access

False Positives & Tuning

  • Vite dev server legitimate module resolution using /@fs/ for symlinked or workspace packages
  • Automated security scanning tools during authorized penetration tests
  • Developers accessing allowed file paths through Vite's file system serving feature
  • Monorepo setups where multiple packages legitimately access cross-package paths via /@fs/

Other platforms for CVE-2025-31125

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Vite /@fs/ Path Traversal to Read /etc/passwd

    Expected signal: HTTP GET request to /@fs/etc/passwd and variants logged in web server access logs; Node.js process accessing /etc/passwd on the file system; network connection from test host to port 5173

  2. Test 2Vite Dev Server Environment File Extraction

    Expected signal: HTTP requests to /@fs/ with absolute paths to .env files; file system read events on .env and config files; response body containing environment variable content if successful

  3. Test 3Automated CVE-2025-31125 Exploitation Scan

    Expected signal: Rapid sequential HTTP GET requests to /@fs/ endpoint with multiple sensitive path targets; consistent source IP across all requests; mix of 200 and 403 response codes; elevated request rate to Vite dev server port

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2025-31125 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0007DiscoveryTA0009Collection

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1005Data from Local System

Same Tactic: Initial Access

Popular Detections