Back to KEVs

CVE-2025-30208

Vite bypasses server.fs.deny when using `?raw??`

Basic Information

CVE State: PUBLISHED
Reserved Date: March 18, 2025
Published Date: March 24, 2025
Last Updated: March 24, 2025
Vendor: vitejs
Product: vite
Description: Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Tags

CVSS Scores

CVSS v3.1

5.3 - MEDIUM

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

SSVC Information

Exploitation: poc
Technical Impact: partial

Exploit Status

Proof of Concept Available: Yes (added 2025-03-28 12:17:36 UTC) Source

References

https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4 https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41 https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2026-04-06 19:42:04 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-30208.yaml	2025-04-25 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

r0ngy40/CVE-2025-30208-Series

Type: github • Created: 2025-04-24 10:53:23 UTC • Stars: 1

Analysis of the Reproduction of CVE-2025-30208 Series Vulnerabilities

imbas007/CVE-2025-30208-template

Type: github • Created: 2025-04-21 01:33:14 UTC • Stars: 0

CVE-2025-30208 vite file read nuclei template

lilil3333/Vite-CVE-2025-30208-EXP

Type: github • Created: 2025-04-05 04:59:49 UTC • Stars: 1

Vite-CVE-2025-30208-EXP单目标检测，支持自定义读取路径，深度检索

4m3rr0r/CVE-2025-30208-PoC

Type: github • Created: 2025-04-03 11:46:19 UTC • Stars: 0

CVE-2025-30208 - Vite Arbitrary File Read PoC

sumeet-darekar/CVE-2025-30208

Type: github • Created: 2025-04-02 05:52:24 UTC • Stars: 0

mass scan for CVE-2025-30208

0xshaheen/CVE-2025-30208

Type: github • Created: 2025-04-02 04:26:21 UTC • Stars: 0

keklick1337/CVE-2025-30208-ViteVulnScanner

Type: github • Created: 2025-03-28 12:17:36 UTC • Stars: 0

CVE-2025-30208 ViteVulnScanner

sadhfdw129/CVE-2025-30208-Vite

Type: github • Created: 2025-03-28 09:50:48 UTC • Stars: 0

CVE-2025-30208 | Vite脚本

4xura/CVE-2025-30208

Type: github • Created: 2025-03-27 12:55:01 UTC • Stars: 1

A PoC of the exploit script for the Arbitrary File Read vulnerability of Vite /@fs/ Path Traversal in the transformMiddleware (CVE-2025-30208).

On1onss/CVE-2025-30208-LFI

Type: github • Created: 2025-03-27 12:36:41 UTC • Stars: 2

This exploit is for educational and ethical security testing purposes only. The use of this exploit against targets without prior mutual consent is illegal, and the developer disclaims any liability for misuse or damage caused by this exploit.