Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-30208Sensitive Information Exposure in Vite

CWE-200Sensitive Information ExposureCWE-284Improper Access ControlCWE-41Improper Resolution of Path Equivalence11 documents11 sources
Severity
7.5HIGHNVD
VulnCheck5.3
EPSS
89.0%
top 0.47%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Vitejs Vite
Timeline
PublishedMar 24
Latest updateApr 2

Description

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDvitejs/vite5.0.05.4.15+4
npmvitejs/vite6.2.06.2.3+4
CVEListV5vitejs/vite4 versions+3

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Vite bypasses server.fs.deny when using ?raw??2025-03-25
OSV
Vite bypasses server.fs.deny when using ?raw??2025-03-25
VulnCheck
vitejs vite Exposure of Sensitive Information to an Unauthorized Actor2025

💥Exploits & PoCs

2
Exploit-DB
Vite 6.2.2 - Arbitrary File Read2025-04-03
Nuclei
Vite - Arbitrary File Read

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Vite Arbitrary File Read Via raw parameter (CVE-2025-30208)2025-04-07

📋Vendor Advisories

1
Red Hat
vite: Vite bypasses server.fs.deny when using `?raw??`2025-03-24

🕵️Threat Intelligence

2
Sans Isc
Attempts to Exploit Exposed "Vite" Installs (CVE-2025-30208), (Thu, Apr 2nd)2026-04-02
Greynoiseio
NoiseLetter April 2025

📄Research Papers

1
CTF
FesseMisk / README2025