Cyber Posture

CVE-2025-30208

MediumPublic PoC

Published: 24 March 2025

Published
24 March 2025
Modified
23 September 2025
KEV Added
Patch
CVSS Score 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.8985 99.6th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30208 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Vitejs Vite. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 2 other techniques. AI-specific risk: MITRE ATLAS Obtain Capabilities (AML.T0016) plus 1 more. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the specific flaw in Vite's @fs module by patching to fixed versions, directly preventing arbitrary file disclosure.

SI-10 Information Input Validation good match
prevent

Mandates validation of URL query parameters to block bypasses via malformed queries like ?raw?? that evade file access restrictions.

CM-6 Configuration Settings good match
prevent

Enforces secure configuration settings, such as disabling server.host exposure of the Vite dev server to untrusted networks, eliminating remote attack vectors.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Vulnerability enables arbitrary local file read via exposed Vite dev server (public-facing web application exploitation), facilitating file/directory discovery and collection of data from local system.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0016: Obtain CapabilitiesAML.T0024: Exfiltration via AI Inference API

NVD Description

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this…

more

limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.

Deeper analysisAI

CVE-2025-30208 is a vulnerability in Vite, a frontend development tooling provider, affecting versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. The issue lies in the `@fs` module, which is designed to deny access to files outside Vite's serving allow list. However, appending `?raw??` or `?import&raw??` to a URL bypasses this restriction, allowing the contents of arbitrary files to be returned to the browser if they exist. This occurs because trailing separators like `?` are stripped in several code paths but not properly accounted for in query string regexes.

The vulnerability can be exploited by remote attackers with network access to a Vite development server explicitly exposed via the `--host` flag or `server.host` configuration option. Exploitation requires high attack complexity and user interaction, such as tricking a user into visiting a crafted URL (CVSS 5.3: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N). Successful attacks enable arbitrary file disclosure, resulting in high confidentiality impact through exposure of sensitive file contents like configuration files or source code directly to the browser.

Mitigation is available in the fixed versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. Patch details are provided in the following Vite GitHub commits: https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4, https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c, https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41, https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca, and https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1. Affected deployments should upgrade immediately and avoid exposing dev servers to untrusted networks.

Details

CWE(s)
CWE-200CWE-284NVD-CWE-noinfo

Affected Products

vitejs
vite
≤ 4.5.10 · 5.0.0 — 5.4.15 · 6.0.0 — 6.0.12

CVEs Like This One

CVE-2025-31125Same product: Vitejs Vite
CVE-2026-39363Same product: Vitejs Vite
CVE-2026-39364Same product: Vitejs Vite
CVE-2026-5571Shared CWE-200, CWE-284
CVE-2025-8590Shared CWE-200
CVE-2026-2148Shared CWE-200, CWE-284
CVE-2026-2055Shared CWE-200, CWE-284
CVE-2025-0481Shared CWE-200, CWE-284
CVE-2026-2054Shared CWE-200, CWE-284
CVE-2026-32938Shared CWE-200, CWE-284

References