CVE-2025-30208

Name of the Vulnerable Software and Affected Versions: Vite versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10.

Description: Vite is susceptible to an arbitrary file read vulnerability due to improper handling of special characters in the @fs mechanism. By appending ?raw?? or ?import&raw?? to a URL, an attacker can bypass file access restrictions and retrieve the contents of arbitrary files if the Vite development server is exposed to the network (using the --host or server.host configuration option). This bypass occurs because trailing separators are not consistently accounted for in the query string regexes. Multiple reports indicate active exploitation attempts and the availability of proof-of-concept exploits. The vulnerability allows attackers to read sensitive files, potentially leading to credential theft, unauthorized access, and data loss. Millions of systems are potentially at risk.

Recommendations: Upgrade Vite to version 6.2.3 or later. If upgrading is not immediately possible, ensure the Vite development server is not accessible from the public network. Restrict access to the Vite dev server to localhost or use firewall rules to block external access. Monitor logs for requests containing '/@fs/' and query patterns containing '??raw??' or '?import&raw'.