QwikSec

Security Database

CVE

CWE

Training

CVE-2025-59427

Published: Sep 19, 2025

Modified: Sep 19, 2025

PUBLISHED

Description

The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as .env and .dev.vars. This vulnerability is fixed in 1.6.0.

Vendor	Product	Versions
cloudflare	workers-sdk	affected `< 1.6.0`

Weaknesses (CWE)

References

https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-4pfg-2mw5-f8jx

x_refsource_CONFIRM

https://github.com/cloudflare/workers-sdk/commit/0e500720bf70016fa4ea21fc8959c4bd764ebc38

x_refsource_MISC

https://hackerone.com/reports/3117837

x_refsource_MISC

https://github.com/cloudflare/workers-sdk/discussions/3455#discussioncomment-6165773

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.