CVE-2025-30208— Vite bypasses server.fs.deny when using `?raw??`
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-30208
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vite bypasses server.fs.deny when using `?raw??`
Source: NVD (National Vulnerability Database)
Vulnerability Description
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Vite 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Vite是Vite开源的一种新型的前端构建工具。 Vite存在访问控制错误漏洞,该漏洞源于URL中的`?raw??`或`?import&raw??`可以绕过文件访问限制,返回任意文件内容。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
II. Public POCs for CVE-2025-30208
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | 最新的CVE-2025-30208的poc(这个仓库主要拿来写实战src的一些自己写的bypass-waf的脚本以及搜集的干货博主) | https://github.com/LiChaser/CVE-2025-30208 | POC Details |
| 2 | 全网首发 The first Vite scanner on the entire network Automatic target asset collection via FOFA Multi-threaded concurrent scanning Automatic CSV report generation | https://github.com/xuemian168/CVE-2025-30208 | POC Details |
| 3 | CVE-2025-30208-EXP | https://github.com/ThumpBo/CVE-2025-30208-EXP | POC Details |
| 4 | CVE-2025-30208 检测工具。python script && nuclei template | https://github.com/xaitx/CVE-2025-30208 | POC Details |
| 5 | CVE-2025-30208漏洞验证工具 | https://github.com/kk12-30/CVE-2025-30208 | POC Details |
| 6 | CVE-2025-30208 任意文件读取漏洞快速验证 | https://github.com/YuanBenSir/CVE-2025-30208_POC | POC Details |
| 7 | CVE-2025-30208-EXP 任意文件读取 | https://github.com/marino-admin/Vite-CVE-2025-30208-Scanner | POC Details |
| 8 | CVE-2025-30208动态检测脚本,支持默认路径,自定义路径动态检测 | https://github.com/iSee857/CVE-2025-30208-PoC | POC Details |
| 9 | This exploit is for educational and ethical security testing purposes only. The use of this exploit against targets without prior mutual consent is illegal, and the developer disclaims any liability for misuse or damage caused by this exploit. | https://github.com/On1onss/CVE-2025-30208-LFI | POC Details |
| 10 | CVE-2025-30208 | Vite脚本 | https://github.com/sadhfdw129/CVE-2025-30208-Vite | POC Details |
| 11 | CVE-2025-30208 ViteVulnScanner | https://github.com/keklick1337/CVE-2025-30208-ViteVulnScanner | POC Details |
| 12 | A PoC of the exploit script for the Arbitrary File Read vulnerability of Vite /@fs/ Path Traversal in the transformMiddleware (CVE-2025-30208). | https://github.com/4xura/CVE-2025-30208 | POC Details |
| 13 | 针对CVE-2025-30208和CVE-2025-31125的漏洞利用 | https://github.com/jackieya/ViteVulScan | POC Details |
| 14 | None | https://github.com/0xshaheen/CVE-2025-30208 | POC Details |
| 15 | mass scan for CVE-2025-30208 | https://github.com/sumeet-darekar/CVE-2025-30208 | POC Details |
| 16 | CVE-2025-30208 - Vite Arbitrary File Read PoC | https://github.com/4m3rr0r/CVE-2025-30208-PoC | POC Details |
| 17 | Vite-CVE-2025-30208-EXP单目标检测,支持自定义读取路径,深度检索 | https://github.com/lilil3333/Vite-CVE-2025-30208-EXP | POC Details |
| 18 | Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-30208.yaml | POC Details |
| 19 | None | https://github.com/Threekiii/Awesome-POC/blob/master/%E5%BC%80%E5%8F%91%E6%A1%86%E6%9E%B6%E6%BC%8F%E6%B4%9E/Vite%20%E5%BC%80%E5%8F%91%E6%9C%8D%E5%8A%A1%E5%99%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%20CVE-2025-30208.md | POC Details |
| 20 | https://github.com/vulhub/vulhub/blob/master/vite/CVE-2025-30208/README.md | POC Details | |
| 21 | CVE-2025-30208 vite file read nuclei template | https://github.com/imbas007/CVE-2025-30208-template | POC Details |
| 22 | Analysis of the Reproduction of CVE-2025-30208 Series Vulnerabilities | https://github.com/r0ngy40/CVE-2025-30208-Series | POC Details |
| 23 | None | https://github.com/nkuty/CVE-2025-30208-31125-31486-32395 | POC Details |
| 24 | POC | https://github.com/HaGsec/CVE-2025-30208 | POC Details |
| 25 | CVE-2025-30208 | https://github.com/B1ack4sh/Blackash-CVE-2025-30208 | POC Details |
| 26 | CVE‑2025‑30208 is a medium-severity arbitrary file read vulnerability in the Vite development server (a popular frontend build tool) | https://github.com/ThemeHackers/CVE-2025-30208 | POC Details |
| 27 | CVE‑2025‑30208 is a medium-severity arbitrary file read vulnerability in the Vite development server (a popular frontend build tool) | https://github.com/TH-SecForge/CVE-2025-30208 | POC Details |
| 28 | CVE-2025-30208 | https://github.com/gonn4cry/CVE-2025-30208 | POC Details |
| 29 | 🛠️ Detect and exploit the Vite development server's arbitrary file read vulnerability (CVE-2025-30208) with customizable options for effective scanning. | https://github.com/Dany60-98/CVE-2025-30208-EXP | POC Details |
| 30 | CVE-2025-30208 | https://github.com/bugdotexe/CVE-2025-30208 | POC Details |
| 31 | CVE-2025-30208 | https://github.com/qodo-dev/CVE-2025-30208 | POC Details |
| 32 | CVE-2025-30208 任意文件读取漏洞快速验证 | https://github.com/MiclelsonCN/CVE-2025-30208_POC | POC Details |
| 33 | CVE-2025-30208 检测工具。python script && nuclei template | https://github.com/Lusensec/CVE-2025-30208 | POC Details |
| 34 | CVE-2025-30208 | https://github.com/Ashwesker/Blackash-CVE-2025-30208 | POC Details |
| 35 | This repository documents CVE-2025-30208, an Arbitrary File Read vulnerability affecting Vite development servers when misconfigured or exposed to untrusted networks. | https://github.com/layanOd/CVE-2025-30208-Arbitrary-File-Read-in-Vite-servers | POC Details |
| 36 | This exploit is for educational and ethical security testing purposes only. The use of this exploit against targets without prior mutual consent is illegal, and the developer disclaims any liability for misuse or damage caused by this exploit. | https://github.com/On1onss/CVE-2025-30208 | POC Details |
| 37 | CVE-2025-30208 | https://github.com/Ashwesker/Ashwesker-CVE-2025-30208 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-30208
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: vite
- CVE-2026-39365
Vite has a Path Traversal in Optimized Deps `.map` Handling - CVE-2026-39364
Vite has a `server.fs.deny` bypass with queries - CVE-2026-39363
Vite Affected by Arbitrary File Read via Vite Dev Server Web - CVE-2025-62522
vite allows server.fs.deny bypass via backslash on Windows - CVE-2025-58752
Vite's `server.fs` settings were not applied to HTML files
Same vendor: vitejs
- CVE-2026-39365
Vite has a Path Traversal in Optimized Deps `.map` Handling - CVE-2026-39364
Vite has a `server.fs.deny` bypass with queries - CVE-2026-39363
Vite Affected by Arbitrary File Read via Vite Dev Server Web - CVE-2025-68155
@vitejs/plugin-rsc has Arbitrary File Read via `/__vite_rsc_ - CVE-2025-67489
@vitejs/plugin-rsc Remote Code Execution through unsafe dyna
Same weakness: CWE-200
- CVE-2026-42333
quarkus-openapi-generator has overly broad path-parameter ma - CVE-2026-8198
Activity Logs, User Activity Tracking, Multisite Activity Lo - CVE-2026-42456
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (ID - CVE-2026-41520
Cillium exposes sensitive information included in the cilium - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro
V. Comments for CVE-2025-30208
No comments yet