CVE-2025-59427: Cloudflare Vite plugin exposes secrets over the built-in dev server
(updated )
Note: originally posted on H1 but closed. Cross-posting over to here in abundance of caution instead of a public issue.
When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as:
.env.dev.vars
References
- github.com/advisories/GHSA-4pfg-2mw5-f8jx
- github.com/cloudflare/workers-sdk
- github.com/cloudflare/workers-sdk/commit/0e500720bf70016fa4ea21fc8959c4bd764ebc38
- github.com/cloudflare/workers-sdk/discussions/3455
- github.com/cloudflare/workers-sdk/security/advisories/GHSA-4pfg-2mw5-f8jx
- hackerone.com/reports/3117837
- nvd.nist.gov/vuln/detail/CVE-2025-59427
Code Behaviors & Features
Detect and mitigate CVE-2025-59427 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →