CVE-2025-30208 Overview
Vite, a widely deployed frontend development tooling provider, contains an arbitrary file read vulnerability in its development server. The @fs endpoint denies access to files outside the Vite serving allow list. Appending ?raw?? or ?import&raw?? to a request URL bypasses this restriction and returns arbitrary file contents to the browser. The bypass exists because trailing separators such as ? are stripped in several code paths, but the query string regular expressions do not account for them. Only applications that explicitly expose the Vite dev server to the network using --host or the server.host configuration option are affected.
Critical Impact
Network-accessible Vite dev servers leak the contents of any file readable by the Node.js process, including source code, environment variables, and credentials.
Affected Products
- Vite versions prior to 6.2.3 on the 6.2.x branch
- Vite versions prior to 6.1.2, 6.0.12, and 5.4.15 on earlier 6.x and 5.x branches
- Vite versions prior to 4.5.10 on the 4.x branch
Discovery Timeline
- 2025-03-24 - CVE-2025-30208 published to the National Vulnerability Database (NVD)
- 2025-09-23 - Last updated in NVD database
Technical Details for CVE-2025-30208
Vulnerability Analysis
The vulnerability is an information disclosure flaw classified under [CWE-200]. Vite's dev server exposes an internal @fs route to read project files during development. Access control logic restricts @fs to paths inside a configured allow list. Attackers bypass this control by appending crafted query suffixes to the request URL. The server normalizes the path by trimming trailing separators, but the query-matching regular expressions do not, producing inconsistent state between authorization and file resolution. With a high EPSS percentile, this issue has attracted active scanning and exploitation interest.
Root Cause
The root cause is inconsistent parsing of URL query strings. Trailing ? characters are stripped in some code paths and preserved in others. When the query regex fails to match ?raw?? or ?import&raw??, the request bypasses the @fs allow-list check, while the file resolution logic still interprets the URL as a valid filesystem read request.
Attack Vector
An unauthenticated remote attacker sends an HTTP request to the exposed Vite dev server containing a path to a target file with a crafted ?raw?? or ?import&raw?? suffix. The server returns the raw file contents in the response body. Exploitation requires no privileges or user interaction, and exposure is limited to dev servers bound to a non-loopback interface via --host or server.host. The vulnerability does not affect production builds because the dev server is not used at runtime in production deployments.
No verified exploit code is reproduced here. See the GitHub Security Advisory GHSA-x574-m823-4x7w for technical details.
Detection Methods for CVE-2025-30208
Indicators of Compromise
- HTTP requests to the Vite dev server containing the query suffixes ?raw?? or ?import&raw??
- Access log entries targeting sensitive files such as .env, id_rsa, /etc/passwd, or application configuration files via the dev server port (default 5173)
- Outbound responses from developer workstations or CI runners containing file contents over the dev server port to unexpected external IP addresses
Detection Strategies
- Inspect web proxy and network telemetry for URI patterns matching the regex \?(import&)?raw\?\? targeting Node.js dev server ports
- Alert on any inbound connection to common Vite dev server ports (5173, 4173) from non-loopback or non-RFC1918 sources
- Correlate process telemetry for node or vite processes bound to 0.0.0.0 or a public interface with concurrent inbound HTTP traffic
Monitoring Recommendations
- Track running vite processes across developer endpoints and CI infrastructure and flag those launched with --host or a non-default server.host
- Monitor egress firewall logs for unexpected file content transfers originating from developer workstations
- Ingest Vite access logs into a centralized log platform and create detections for the bypass query patterns
How to Mitigate CVE-2025-30208
Immediate Actions Required
- Upgrade Vite to a patched release: 6.2.3, 6.1.2, 6.0.12, 5.4.15, or 4.5.10 depending on the branch in use
- Audit vite.config.js and CLI invocations across repositories for --host flags or server.host settings and remove unnecessary network exposure
- Restrict dev server ports at the host or network firewall to loopback only
Patch Information
The maintainers fixed the bypass by aligning the query string regular expressions with the path normalization logic. The relevant fixes are referenced in upstream commits 315695e, 80381c3, 807d7f0, 92ca12d, and f234b57. Upgrade using your package manager, for example npm install vite@6.2.3 --save-dev.
Workarounds
- Bind the dev server to localhost only by removing --host and setting server.host to 127.0.0.1
- Place the dev server behind authenticated tunneling tools such as SSH port forwarding when remote access is required
- Block inbound traffic to development ports (5173, 4173) at host-based firewalls on developer endpoints
# vite.config.js - restrict dev server to loopback
export default {
server: {
host: '127.0.0.1',
port: 5173,
strictPort: true
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
