Listen to this Post
The vulnerability resides in how the Vite dev server processes URL query parameters. Normally, the `@fs` mechanism restricts access to files outside the project’s serving allow list. By appending specially crafted query parameters like `?raw??` or `?import&raw??` to the URL, an attacker can bypass these file access restrictions. The issue arises because trailing separators, such as the question mark (?), are removed in several places during request processing but are not properly accounted for in the regular expressions used to enforce the query string checks. This allows a malicious request to evade the `server.fs.deny` blocklist and return the content of sensitive files, such as `.env` or .crt, with a HTTP 200 response. The attack is only possible when the dev server is explicitly exposed to the network using the `–host` flag or the `server.host` configuration option.
DailyCVE Form: Platform: Vite Version: <6.2.3 Vulnerability: FS Bypass Severity: Medium date: 2025-04-07 Prediction: Already Patched
What Undercode Say:
Bash Commands & Codes
Start vulnerable dev server pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort Attempt to access blocked file (expect 403) curl -i http://127.0.0.1:5175/src/.env | head -n 20 Exploit using ?import&raw?? (expect 200) curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw??"
Exploit:
An attacker can read arbitrary files by adding `?import&raw??` to the URL, which bypasses the `@fs` allowlist and returns the file’s content.
Protection from this CVE
Upgrade Vite to a patched version: 6.2.3, 6.1.2, 6.0.12, 5.4.15, or 4.5.10. Avoid exposing the dev server to external networks by not using the `–host` flag or `server.host` configuration unless absolutely necessary.
Impact:
Successful exploitation allows a remote, unauthenticated attacker to access sensitive files (e.g., environment variables, certificates) outside the intended directory, leading to information disclosure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

