cbcvebase.
CVE-2025-30208
published 2025-03-24

CVE-2025-30208: Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to…

PriorityP185high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
76.74%
99.5th percentile
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.

Affected

14 ranges
VendorProductVersion rangeFixed in
vitejsvite< 4.5.104.5.10
vitejsvite
vitejsvite
vitejsvite
vitejsvite
vitejsvite>= 0 < 4.5.104.5.10
vitejsvite>= 5.0.0 < 5.4.155.4.15
vitejsvite>= 5.0.0 < 5.4.155.4.15
vitejsvite>= 6.0.0 < 6.0.126.0.12
vitejsvite>= 6.0.0 < 6.0.126.0.12
vitejsvite>= 6.1.0 < 6.1.26.1.2
vitejsvite>= 6.1.0 < 6.1.26.1.2
vitejsvite>= 6.2.0 < 6.2.36.2.3
vitejsvite>= 6.2.0 < 6.2.36.2.3

Detection & IOCsextracted from sources · hover to see the quote

url/@fs/../../../../../etc/environment?raw??
url/@fs/etc/environment?raw??
url/@fs/home/app/.aws/credentials?raw??
url/etc/passwd?raw??
url/etc/passwd?raw
port5173
path/@fs/
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Vite Arbitrary File Read Via raw parameter (CVE-2025-30208)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/@fs"; fast_pattern; startswith; content:"raw"; distance:0; reference:url,github.com/advisories/GHSA-x574-m823-4x7w; reference:cve,2025-30208; classtype:attempted-admin; sid:2061339; rev:1; metadata:affected_product Vite, attack_target Web_Server, tls_state plaintext, created_at 2025_04_07, cve CVE_2025_30208, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for HTTP GET requests where the URI starts with '/@fs' and contains 'raw' in the query string — this is the canonical exploit pattern for CVE-2025-30208.
  • The bypass uses trailing '?' separators appended to query parameters (e.g., '?raw??' or '?import&raw??'). Detect these anomalous double-question-mark suffixes in HTTP request URIs.
  • Attackers are targeting well-known sensitive files via the /@fs/ path prefix. Monitor for paths such as /etc/passwd, /etc/environment, and /.aws/credentials in requests to Vite dev server ports.
  • Nuclei template fingerprints Vite exposure by checking for '/@vite/client' in the response body before probing for the file read vulnerability.
  • Attacks observed on standard web server ports (80/443), not just the default Vite port 5173 — do not limit detection scope to port 5173 alone.
  • An alternative bypass payload uses the '.svg?.wasm?init' suffix pattern instead of '?raw??', as observed in CTF exploitation of the same CVE.
  • ·Only Vite dev servers explicitly exposed to the network are vulnerable. Instances bound only to localhost (the default) are not reachable by remote attackers.
  • ·The vulnerability bypasses the server.fs.deny allow-list; even properly configured deny lists are ineffective against this bypass on unpatched versions.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck5.3MEDIUM
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.