Cyber Resilience

CVE-2025-30208

MediumPublic PoC

Published: 24 March 2025

Published
24 March 2025
Modified
23 September 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.8985 99.6th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30208 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Vitejs Vite. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

Vite, the frontend development build tool, is affected by a path traversal flaw in all versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. The @fs allow-list mechanism that normally prevents serving files outside designated directories can be bypassed by appending query strings such as ?raw?? or ?import&raw??; the bypass succeeds because trailing separators are stripped in multiple code paths while the corresponding query-string regular expressions are not updated to account for them, resulting in arbitrary file contents being returned to the browser.

Only deployments that deliberately expose the Vite development server to the network, either through the --host command-line flag or the server.host configuration option, are impacted. An unauthenticated remote attacker who can reach the dev server can therefore read any file on the underlying filesystem by crafting an appropriate URL, yielding high-impact confidentiality exposure while requiring no user interaction.

The referenced GitHub commits implement the corrective changes and are included in the patched releases; upgrading to one of the fixed versions eliminates the regex mismatch and restores the intended access controls. The associated EPSS score sits at 0.8985 with a recorded peak of 0.9045.

EU & UK References

Vulnerability details

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this…

more

limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability enables arbitrary local file read via exposed Vite dev server (public-facing web application exploitation), facilitating file/directory discovery and collection of data from local system.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0016: Obtain CapabilitiesAML.T0024: Exfiltration via AI Inference API

CVEs Like This One

CVE-2025-31125Same product: Vitejs Vite
CVE-2026-39364Same product: Vitejs Vite
CVE-2026-39363Same product: Vitejs Vite
CVE-2026-5571Shared CWE-200, CWE-284
CVE-2025-8590Shared CWE-200
CVE-2026-2055Shared CWE-200, CWE-284
CVE-2026-2054Shared CWE-200, CWE-284
CVE-2026-32938Shared CWE-200, CWE-284
CVE-2026-2894Shared CWE-200, CWE-284
CVE-2026-2148Shared CWE-200, CWE-284

Affected Assets

vitejs
vite
≤ 4.5.10 · 5.0.0 — 5.4.15 · 6.0.0 — 6.0.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific flaw in Vite's @fs module by patching to fixed versions, directly preventing arbitrary file disclosure.

prevent

Mandates validation of URL query parameters to block bypasses via malformed queries like ?raw?? that evade file access restrictions.

prevent

Enforces secure configuration settings, such as disabling server.host exposure of the Vite dev server to untrusted networks, eliminating remote attack vectors.

References