GHSA-4pfg-2mw5-f8jx: Cloudflare Vite plugin exposes secrets over the built-in dev server

July 8, 2025

Note: originally posted on H1 but closed. Cross-posting over to here in abundance of caution instead of a public issue.

When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as:

.env
.dev.vars

References

github.com/advisories/GHSA-4pfg-2mw5-f8jx
github.com/cloudflare/workers-sdk
github.com/cloudflare/workers-sdk/commit/0e500720bf70016fa4ea21fc8959c4bd764ebc38
github.com/cloudflare/workers-sdk/security/advisories/GHSA-4pfg-2mw5-f8jx

Code Behaviors & Features

Detect and mitigate GHSA-4pfg-2mw5-f8jx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →