CVE-2025-30208
published 2025-03-24CVE-2025-30208: Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to…
PriorityP185high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
76.74%
99.5th percentile
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vitejs | vite | < 4.5.10 | 4.5.10 |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | >= 0 < 4.5.10 | 4.5.10 |
| vitejs | vite | >= 5.0.0 < 5.4.15 | 5.4.15 |
| vitejs | vite | >= 5.0.0 < 5.4.15 | 5.4.15 |
| vitejs | vite | >= 6.0.0 < 6.0.12 | 6.0.12 |
| vitejs | vite | >= 6.0.0 < 6.0.12 | 6.0.12 |
| vitejs | vite | >= 6.1.0 < 6.1.2 | 6.1.2 |
| vitejs | vite | >= 6.1.0 < 6.1.2 | 6.1.2 |
| vitejs | vite | >= 6.2.0 < 6.2.3 | 6.2.3 |
| vitejs | vite | >= 6.2.0 < 6.2.3 | 6.2.3 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Vite Arbitrary File Read Via raw parameter (CVE-2025-30208)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/@fs"; fast_pattern; startswith; content:"raw"; distance:0; reference:url,github.com/advisories/GHSA-x574-m823-4x7w; reference:cve,2025-30208; classtype:attempted-admin; sid:2061339; rev:1; metadata:affected_product Vite, attack_target Web_Server, tls_state plaintext, created_at 2025_04_07, cve CVE_2025_30208, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Look for HTTP GET requests where the URI starts with '/@fs' and contains 'raw' in the query string — this is the canonical exploit pattern for CVE-2025-30208. ↗
- →The bypass uses trailing '?' separators appended to query parameters (e.g., '?raw??' or '?import&raw??'). Detect these anomalous double-question-mark suffixes in HTTP request URIs. ↗
- →Attackers are targeting well-known sensitive files via the /@fs/ path prefix. Monitor for paths such as /etc/passwd, /etc/environment, and /.aws/credentials in requests to Vite dev server ports. ↗
- →Nuclei template fingerprints Vite exposure by checking for '/@vite/client' in the response body before probing for the file read vulnerability.
- →Attacks observed on standard web server ports (80/443), not just the default Vite port 5173 — do not limit detection scope to port 5173 alone. ↗
- →An alternative bypass payload uses the '.svg?.wasm?init' suffix pattern instead of '?raw??', as observed in CTF exploitation of the same CVE. ↗
- ·Only Vite dev servers explicitly exposed to the network are vulnerable. Instances bound only to localhost (the default) are not reachable by remote attackers. ↗
- ·The vulnerability bypasses the server.fs.deny allow-list; even properly configured deny lists are ineffective against this bypass on unpatched versions. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck5.3MEDIUM
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Vite bypasses server.fs.deny when using ?raw??
ghsa·2025-03-25
CVE-2025-30208 [MEDIUM] CWE-200 Vite bypasses server.fs.deny when using ?raw??
Vite bypasses server.fs.deny when using ?raw??
### Summary
The contents of arbitrary files can be returned to the browser.
### Impact
Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.
### Details
`@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes.
### PoC
```bash
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
$ echo "top secret content" > /tmp/secret.txt
# expe
OSV
Vite bypasses server.fs.deny when using ?raw??
osv·2025-03-25
CVE-2025-30208 [MEDIUM] Vite bypasses server.fs.deny when using ?raw??
Vite bypasses server.fs.deny when using ?raw??
### Summary
The contents of arbitrary files can be returned to the browser.
### Impact
Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.
### Details
`@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes.
### PoC
```bash
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
$ echo "top secret content" > /tmp/secret.txt
# expe
VulnCheck
vitejs vite Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2025·CVSS 5.3
CVE-2025-30208 [MEDIUM] vitejs vite Exposure of Sensitive Information to an Unauthorized Actor
vitejs vite Exposure of Sensitive Information to an Unauthorized Actor
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Affected: vitejs v
Red Hat
vite: Vite bypasses server.fs.deny when using `?raw??`
vendor_redhat·2025-03-24·CVSS 5.3
CVE-2025-30208 [MEDIUM] CWE-41 vite: Vite bypasses server.fs.deny when using `?raw??`
vite: Vite bypasses server.fs.deny when using `?raw??`
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
A flaw was found in the Vite front
Suricata
ET WEB_SPECIFIC_APPS Vite Arbitrary File Read Via raw parameter (CVE-2025-30208)
suricata·2025-04-07·CVSS 5.3
CVE-2025-30208 [MEDIUM] ET WEB_SPECIFIC_APPS Vite Arbitrary File Read Via raw parameter (CVE-2025-30208)
ET WEB_SPECIFIC_APPS Vite Arbitrary File Read Via raw parameter (CVE-2025-30208)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Vite Arbitrary File Read Via raw parameter (CVE-2025-30208)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/@fs"; fast_pattern; startswith; content:"raw"; distance:0; reference:url,github.com/advisories/GHSA-x574-m823-4x7w; reference:cve,2025-30208; classtype:attempted-admin; sid:2061339; rev:1; metadata:affected_product Vite, attack_target Web_Server, tls_state plaintext, created_at 2025_04_07, cve CVE_2025_30208, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Acce
Exploit-DB
Vite 6.2.2 - Arbitrary File Read
exploitdb·2025-04-03·CVSS 5.3
CVE-2025-30208 [MEDIUM] Vite 6.2.2 - Arbitrary File Read
Vite 6.2.2 - Arbitrary File Read
---
# Exploit Title: Vite Arbitrary File Read - CVE-2025-30208
# Date: 2025-04-03
# Exploit Author: Sheikh Mohammad Hasan (https://github.com/4m3rr0r)
# Vendor Homepage: https://vitejs.dev/
# Software Link: https://github.com/vitejs/vite
# Version: <= 6.2.2, <= 6.1.1, <= 6.0.11, <= 5.4.14, <= 4.5.9
# Tested on: Ubuntu
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-30208
# https://github.com/advisories/GHSA-x574-m823-4x7w
# CVE : CVE-2025-30208
"""
################
# Description #
################
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses
Nuclei
Vite - Arbitrary File Read
nuclei·CVSS 7.5
CVE-2025-30208 [HIGH] Vite - Arbitrary File Read
Vite - Arbitrary File Read
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Template:
id: CVE-2025-30208
info:
name: Vite - Arbitrary Fi
Sans Isc
Attempts to Exploit Exposed "Vite" Installs (CVE-2025-30208), (Thu, Apr 2nd)
blogs_sans_isc·2026-04-02·CVSS 5.3
CVE-2025-30208 [MEDIUM] Attempts to Exploit Exposed "Vite" Installs (CVE-2025-30208), (Thu, Apr 2nd)
Attempts to Exploit Exposed "Vite" Installs (CVE-2025-30208)
Published: 2026-04-02. Last Updated: 2026-04-02 14:49:00 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
From its GitHub repo: "Vite (French word for "quick", pronounced /vi?t/, like "veet") is a new breed of frontend build tooling that significantly improves the frontend development experience" [https://github.com/vitejs/vite].
This environment introduces some neat and useful shortcuts to make developers' lives simpler. But as so often, if exposed, these features can be turned against you.
Today, I noticed our honeypots collecting URLs like:
/@fs/../../../../../etc/environment?raw??
/@fs/etc/environment?raw??
/@fs/home/app/.aws/credentials?raw??
and many more like it. The common denominator is the prefix "/@fs/" and t
Greynoiseio
NoiseLetter April 2025
blogs_greynoiseio
NoiseLetter April 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
CTF
FesseMisk / README
ctf_writeups·2025·CVSS 5.3
CVE-2025-30208 [MEDIUM] FesseMisk / README
# CVE-Safari
**FesseMisk by HAL50000**
## Initial Reconnaissance
Every boot2root starts with nmap. I always run `nmap -T5 -A IP -vv` because I'm impatient and like my scans aggressive.
**NMAP Results:**
```
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.14
5173/tcp open unknown
```
Port 5173 showed Vite configuration errors and blocked requests in the fingerprint.
## Step 1: Alpha User (Vite CVE-2025-30208)
Checked out port 5173 and found it was running **Vite v6.2.1**:
```bash
curl -v http://10.128.8.84:5173/
# Output shows: VITE v6.2.1
```
From the challenge context, I guessed there's a CVE from 2025 in that Vite version.
**EXPERT LEVEL GOOGLE DORKING INCOMING:** I found basically all POCs in this challenge by typing `THING CVE-2025 poc github`. Sign u
Bugzilla
CVE-2025-30208 vite: Vite bypasses server.fs.deny when using `?raw??`
bugzilla·2025-03-24·CVSS 7.5
CVE-2025-30208 [HIGH] CVE-2025-30208 vite: Vite bypasses server.fs.deny when using `?raw??`
CVE-2025-30208 vite: Vite bypasses server.fs.deny when using `?raw??`
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803chttps://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07cahttps://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w
2025-03-24
Published
Exploited in the wild