AI description
CVE-2025-30208 is a vulnerability affecting Vite, a frontend development tool. It exists in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. The vulnerability allows bypassing file access restrictions, which are normally in place to prevent access to files outside of a specified allow list. The bypass is achieved by adding "?raw??" or "?import&raw??" to the URL, which circumvents the intended restrictions and returns the file content. This occurs because trailing separators, such as "?", are removed in certain parts of the code but are not properly accounted for in query string regexes. Only applications that explicitly expose the Vite development server to the network (using the `--host` or `server.host` configuration options) are affected.
- Description
- Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 5.3
- Impact score
- 3.6
- Exploitability score
- 1.6
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
- Severity
- MEDIUM
- security-advisories@github.com
- CWE-200
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
1
Vite Security Issue CVE-2025-30208: Critical Flaw Exposed https://t.co/eYribivpaq https://t.co/QnMPZA9JCH
@huntingjacq
29 Mar 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
サークルで作って更新してなかったサービスが CVE-2025-30208 の攻撃受けてた、やばすぎ! すぐ直したし漏洩して困る情報は特にないけど...
@a01sa01to
28 Mar 2025
146 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
フロントエンドツール Viteで任意ファイルの読み取りが可能な脆弱性(CVE-2025-30208) #セキュリティ対策Lab #セキュリティ #Security https://t.co/FLZZkgHWV8
@securityLab_jp
28 Mar 2025
31 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 Millions of web apps at risk! A PoC exploit for Vite (CVE-2025-30208) allows unauthorized file access via URL parameters. Users must update affected versions to protect sensitive data. ⚠️ #Vite #WebSecurity #USA link: https://t.co/IX4Cn2P84x https://t.co/Sn9mIViyqu
@TweetThreatNews
27 Mar 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Do you know Vite's latest CVE-2025-30208 is a follow-up and patch bypass of a old issue? https://t.co/VZlpIPKbwW The old issue doesn't have a CVE id, but you still can reproduce it via #Vulhub https://t.co/G0dwsLpcW9 https://t.co/b8wzponsjW
@phithon_xg
27 Mar 2025
4526 Impressions
7 Retweets
60 Likes
31 Bookmarks
2 Replies
1 Quote
Vite任意文件读取漏洞(CVE-2025-30208) 感觉可以拿来搞其它前端开发的同事,比如读取他的.ssh/id_rsa 各位前端朋友记得赶快升级 https://t.co/lOpAqpKTf9
@changwei1006
27 Mar 2025
707 Impressions
0 Retweets
3 Likes
3 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨 CVE-2025-30208:Vite Development Server Arbitrary File Read 🔥PoC:https://t.co/EDCjk8PItk 🧐EXP from @AabyssZG :https://t.co/20H7tFXrLK 📊 277K+ Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter Link:https://t.co/qafv4mcEr6 👇Query HUNTER : https://t.co/
@HunterMapping
27 Mar 2025
1379 Impressions
4 Retweets
13 Likes
6 Bookmarks
0 Replies
0 Quotes
Vite Development Server Arbitrary File Read (CVE-2025-30208) Use #Vulhub to reproduce it: https://t.co/U51vXlGNae https://t.co/liua9DIQxM
@phithon_xg
26 Mar 2025
2999 Impressions
14 Retweets
35 Likes
13 Bookmarks
0 Replies
0 Quotes
安全圈过年啦,师傅们帮忙点个Star🤯 本项目利用Vite开发服务器任意文件读取漏洞(CVE-2025-30208)尝试读取 /root/.bash_history 历史命令文件,并提取出其中可能包含的账号密码,Github地址:https://t.co/JvzfDzTk0f
@AabyssZG
26 Mar 2025
7011 Impressions
20 Retweets
91 Likes
39 Bookmarks
1 Reply
2 Quotes
⚡️The vulnerability details are now available: https://t.co/wwmqX4y7TX 🚨🚨Vite frontend tool hit with CVE-2025-30208! Just slap ?raw?? or ?import&raw?? onto the URL to bypass restrictions and snag any file. If your Vite dev server is exposed online (using --host or https:/
@zoomeye_team
26 Mar 2025
2090 Impressions
3 Retweets
15 Likes
8 Bookmarks
2 Replies
1 Quote
CVE-2025-30208 Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outs… https://t.co/VazTE18hZ6
@CVEnew
24 Mar 2025
371 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes