CVE-2025-30208
Published: 24 March 2025
Summary
CVE-2025-30208 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Vitejs Vite. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
Vite, the frontend development build tool, is affected by a path traversal flaw in all versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. The @fs allow-list mechanism that normally prevents serving files outside designated directories can be bypassed by appending query strings such as ?raw?? or ?import&raw??; the bypass succeeds because trailing separators are stripped in multiple code paths while the corresponding query-string regular expressions are not updated to account for them, resulting in arbitrary file contents being returned to the browser.
Only deployments that deliberately expose the Vite development server to the network, either through the --host command-line flag or the server.host configuration option, are impacted. An unauthenticated remote attacker who can reach the dev server can therefore read any file on the underlying filesystem by crafting an appropriate URL, yielding high-impact confidentiality exposure while requiring no user interaction.
The referenced GitHub commits implement the corrective changes and are included in the patched releases; upgrading to one of the fixed versions eliminates the regex mismatch and restores the intended access controls. The associated EPSS score sits at 0.8985 with a recorded peak of 0.9045.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8079
Vulnerability details
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this…
more
limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables arbitrary local file read via exposed Vite dev server (public-facing web application exploitation), facilitating file/directory discovery and collection of data from local system.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the specific flaw in Vite's @fs module by patching to fixed versions, directly preventing arbitrary file disclosure.
Mandates validation of URL query parameters to block bypasses via malformed queries like ?raw?? that evade file access restrictions.
Enforces secure configuration settings, such as disabling server.host exposure of the Vite dev server to untrusted networks, eliminating remote attack vectors.