Vite Development Server File Read Bypass – CVE-2025-30208

Posted on

Vulnerable Version

before 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10

Fixed Version

fix Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10

Base Score

5.3 Medium                                                                  

Vendor Description:-

Vite is a new frontend development tool that takes advantage of the browser’s ES module import capabilities to enable fast server development and construction speed. Vite attempts to improve the development experience and efficiency by utilizing technologies such as rapid module replacement (HMR).

CVE-2025-30208 Vulnerability Description:

In versions of Vite before 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10, the server.fs.deny feature, which is designed to restrict access to files outside of Vite’s serving allow list, can be bypassed. By appending ?raw?? or ?import&raw?? to URLs using the @fs prefix, an attacker can read arbitrary files on the filesystem, as long as the Node.js process has permission to read them.

This vulnerability occurs because trailing separators such as ? are removed in several places during request processing, but are not accounted for in query string regular expressions, leading to the security check bypass.

Impact:
This leads to the following potential security risks:

  • Reading arbitrary files on the server
  • Accessing system configuration files
  • Obtaining sensitive application information
  • Probing server directory structure

Mitigations:

  • Upgrade Vite: Update to a patched version (e.g., 6.2.3, 6.1.2, 6.0.12, 5.4.15, or 4.5.10) where the vulnerability has been addressed.
  • Restrict Server Exposure: Ensure the development server is not exposed to the public internet. Avoid using --host or setting server.host to a non-localhost value.
  • Implement Network Controls: Use firewalls or reverse proxies to limit access to the development server, allowing only trusted IP addresses.
  • Sanitize Inputs:Validate and sanitize all incoming requests to prevent malicious query parameters from bypassing security checks.

POC

The vulnerability allows an attacker to read arbitrary files on the server’s filesystem by bypassing the server.fs.deny protection.

First, try to access /etc/passwd using the standard @fs prefix to verify that normal access to files outside the allowed directories is properly blocked:

image 11

You should receive a 403 Forbidden response since this path is not on Vite’s approved serving list.

However, by appending ?raw?? to the URL, you can bypass this restriction and retrieve the contents of the file:

image 13

References:

https://nvd.nist.gov/vuln/detail/CVE-2025-30208

https://github.com/vulhub/vulhub/tree/master/vite/CVE-2025-30208

Leave a Reply

Your email address will not be published. Required fields are marked *