GHSA-4pfg-2mw5-f8jx: 
JavaScript vulnerability analysis and mitigation

The Cloudflare Vite plugin (npm package @cloudflare/vite-plugin) versions prior to 1.6.0 contained a vulnerability where the built-in dev server exposed sensitive files in its default configuration. This security issue, identified as GHSA-4pfg-2mw5-f8jx, was discovered and disclosed on July 7, 2025, with a patch released on July 8, 2025. The vulnerability allowed unauthorized access to sensitive files including .env and .dev.vars files through the local development server (GitHub Advisory).

The vulnerability stems from the default configuration of the Vite plugin's dev server, which inadvertently exposed all files in the root directory, including sensitive configuration files. The issue could be triggered when running the dev server, particularly when exposed to a network using commands like npm run dev -- -- --host 0.0.0.0. The vulnerability has been assigned a CVSS score of 6.9 (Moderate) with attack vector: Network, attack complexity: Low, and privileges required: None. The weakness is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (GitHub Advisory).

When exploited, this vulnerability could lead to the exposure of sensitive information including environment variables, development variables, package dependencies, and internal documentation. The impact is particularly significant when the dev server is exposed on public networks or when sharing application previews using cloudflared, as it could allow attackers to access confidential configuration data (GitHub Advisory).

The vulnerability has been patched in version 1.6.0 of @cloudflare/vite-plugin. Users are strongly advised to upgrade to this version or later to prevent unauthorized access to sensitive files. The fix includes restrictions on access to .dev.vars files and other sensitive content through the dev server (Workers SDK Commit).