Cloudflare Vite Plugin full file exposure before v1.6.0
CVE-2025-59427 Published on September 19, 2025
Cloudflare vite plugin exposes secrets over the built-in dev server
The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as .env and .dev.vars. This vulnerability is fixed in 1.6.0.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2025-59427 has been classified to as an Information Disclosure vulnerability or weakness.
Affected Versions
cloudflare workers-sdk Version < 1.6.0 is affected by CVE-2025-59427Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.