CVE-2025-59427: 
JavaScript vulnerability analysis and mitigation

The Cloudflare Vite plugin (npm package @cloudflare/vite-plugin) versions prior to 1.6.0 contain a security vulnerability where the local dev server exposes sensitive files in its default configuration. The vulnerability, identified as CVE-2025-59427, allows unauthorized access to files in the root directory containing secret information such as .env and .dev.vars files. The issue was discovered in July 2025 and has been fixed in version 1.6.0 (GitHub Advisory).

The vulnerability occurs when using the Cloudflare Vite plugin in its default configuration, where the local dev server does not properly restrict access to files outside the configured assets directory. This allows direct access to sensitive files through simple HTTP requests to the dev server, such as http://localhost:5173/.env or http://localhost:5173/.dev.vars. The issue is particularly concerning when the dev server is exposed on a public network or when sharing previews using cloudflared. The vulnerability has been assigned a CVSS v4.0 score of 2.9 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P (NVD).

If the Vite dev server is exposed on a public network or when sharing application previews using cloudflared, attackers can potentially acquire secrets that users don't intend to expose. This includes sensitive information from .env files, .dev.vars files, package.json (exposing dependencies that could lead to other vulnerabilities), and internal documentation from README.md files (GitHub Advisory).

The vulnerability has been fixed in version 1.6.0 of the @cloudflare/vite-plugin. Users should upgrade to this version or later to prevent unauthorized access to sensitive files. Organizations using affected versions should avoid exposing the dev server to public networks and exercise caution when sharing application previews (GitHub Advisory).