(Vite Dev Server), Arbitrary File Read, CVE-2025-30208 (Medium)

Listen to this Post

The vulnerability resides in how the Vite dev server processes URL query parameters. Normally, the `@fs` mechanism restricts access to files outside the project’s serving allow list. By appending specially crafted query parameters like `?raw??` or `?import&raw??` to the URL, an attacker can bypass these file access restrictions. The issue arises because trailing separators, such as the question mark (?), are removed in several places during request processing but are not properly accounted for in the regular expressions used to enforce the query string checks. This allows a malicious request to evade the `server.fs.deny` blocklist and return the content of sensitive files, such as `.env` or .crt, with a HTTP 200 response. The attack is only possible when the dev server is explicitly exposed to the network using the `–host` flag or the `server.host` configuration option.

DailyCVE Form:
Platform: Vite
Version: <6.2.3
Vulnerability: FS Bypass
Severity: Medium
date: 2025-04-07
Prediction: Already Patched

What Undercode Say:

Bash Commands & Codes

Start vulnerable dev server
pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort
Attempt to access blocked file (expect 403)
curl -i http://127.0.0.1:5175/src/.env | head -n 20
Exploit using ?import&raw?? (expect 200)
curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw??"

Exploit:

An attacker can read arbitrary files by adding `?import&raw??` to the URL, which bypasses the `@fs` allowlist and returns the file’s content.

Protection from this CVE

Upgrade Vite to a patched version: 6.2.3, 6.1.2, 6.0.12, 5.4.15, or 4.5.10. Avoid exposing the dev server to external networks by not using the `–host` flag or `server.host` configuration unless absolutely necessary.

Impact:

Successful exploitation allows a remote, unauthenticated attacker to access sensitive files (e.g., environment variables, certificates) outside the intended directory, leading to information disclosure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top