Information Exposure in @cloudflare/vite-plugin

Q: How to fix?

Upgrade @cloudflare/vite-plugin to version 1.6.0 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-CLOUDFLAREVITEPLUGIN-10734088
published13 Jul 2025
disclosed8 Jul 2025
creditJames Ross

Report a new vulnerability Found a mistake?

Introduced: 8 Jul 2025

CWE-200 (opens in a new tab)

How to fix?

Upgrade @cloudflare/vite-plugin to version 1.6.0 or higher.

Overview

@cloudflare/vite-plugin is a Cloudflare plugin for Vite

Affected versions of this package are vulnerable to Information Exposure via the dev server process. An attacker can access sensitive files and internal project information by sending HTTP requests to the server for files such as .env, .dev.vars, package.json, or README.md.

Note: This is exploitable if the development server is exposed to a public or shared network, such as when using preview sharing tools or running the server with a public host configuration.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Information Exposure Affecting @cloudflare/vite-plugin package, versions <1.6.0

Severity