logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-4pfg-2mw5-f8jx @cloudflare/vite-plugin

Package

Manager: npm
Name: @cloudflare/vite-plugin
Vulnerable Version: >=0 <1.6.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

EPSS: N/A pctlN/A

Details

Cloudflare Vite plugin exposes secrets over the built-in dev server ### Summary Note: [originally posted on H1](https://hackerone.com/reports/3117837) but closed. Cross-posting over to here in abundance of caution instead of a public issue. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as: - `.env` - `.dev.vars` ### PoC 1. Create a Workers project that utilises the `@cloudflare/vite-plugin`. For example: - `npm create cloudflare@latest` - select Framework Starter -> React 2. Add any secret files to test if they're accessible. `echo foobar=secret > .dev.vars` for example 3. Run `npm run dev` to start the dev server (after running `npm ci` if necessary to install dependencies) and then hit the following to expose information: `curl http://localhost:5173/.env` may expose any secrets in this file `curl http://localhost:5173/.dev.vars` may expose any secrets in this file `curl http://localhost:5173/package.json` may expose dependencies used by the project, potentially leading to other vulnerabilities `curl http://localhost:5173/README.md` may expose internal documentation ### Impact If the vite dev server is exposed on a public network, such as when a user simply uses `wrangler` to serve their application and doesn't publish to Cloudflare in production, an attacker may be able to acquire secrets that the user doesn't wish to be exposed. Another common scenario where this could happen is when sharing previews of an application using `cloudflared`. `npm run dev` -> share preview with `cloudflared` -> now all secrets are exposed to the public internet. Exposing via vite is possible via: ``` npm run dev -- -- --host 0.0.0.0 ``` The default configuration has no reason to expose information outside of the configured assets directory. Example: `curl http://somehost/.env` may expose secrets `curl http://somehost/.dev.vars` may expose secrets `curl http://somehost/package.json` may expose dependencies used by the project, potentially leading to other vulnerabilities `curl http://somehost/README.md` may expose internal documentation etc. Information disclosure to anyone on the same network, or if the dev server is exposed such as via `cloudflared` as explored here: https://github.com/cloudflare/workers-sdk/discussions/3455#discussioncomment-6165773

Metadata

Created: 2025-07-08T19:07:47Z
Modified: 2025-07-08T19:07:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-4pfg-2mw5-f8jx/GHSA-4pfg-2mw5-f8jx.json
CWE IDs: ["CWE-200"]
Alternative ID: N/A
Finding: F308
Auto approve: 1