What is the severity of CVE-2025-59427?

CVE-2025-59427 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2025-59427?

No known public exploits are currently available for CVE-2025-59427.

Is there a patch available for CVE-2025-59427?

Yes, patches are available for CVE-2025-59427. Check the vendor advisories for update instructions.

CVE-2025-59427 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

Note: originally posted on H1 but closed. Cross-posting over to here in abundance of caution instead of a public issue.

When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as:

.env
.dev.vars

PoC

Create a Workers project that utilises the @cloudflare/vite-plugin. For example:
- npm create cloudflare@latest - select Framework Starter -> React
Add any secret files to test if they're accessible. echo foobar=secret > .dev.vars for example
Run npm run dev to start the dev server (after running npm ci if necessary to install dependencies) and then hit the following to expose information:

curl http://localhost:5173/.env may expose any secrets in this file curl http://localhost:5173/.dev.vars may expose any secrets in this file curl http://localhost:5173/package.json may expose dependencies used by the project, potentially leading to other vulnerabilities curl http://localhost:5173/README.md may expose internal documentation

Impact

If the vite dev server is exposed on a public network, such as when a user simply uses wrangler to serve their application and doesn't publish to Cloudflare in production, an attacker may be able to acquire secrets that the user doesn't wish to be exposed.

Another common scenario where this could happen is when sharing previews of an application using cloudflared. npm run dev -> share preview with cloudflared -> now all secrets are exposed to the public internet.

Exposing via vite is possible via:

npm run dev -- -- --host 0.0.0.0

The default configuration has no reason to expose information outside of the configured assets directory.

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com