CVE-2025-30208

Name of the Vulnerable Software and Affected Versions Vite versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10.

Description Vite is susceptible to a file access bypass, allowing unauthorized access to arbitrary files when the development server is exposed to the network. By appending ?raw?? or ?import&raw?? to a URL targeting the @fs path, an attacker can bypass access restrictions and retrieve the content of files. This bypass occurs because trailing separators are not consistently handled in query string regexes. Exploitation requires the Vite development server to be accessible remotely, typically on port 5173. Multiple reports indicate active scanning and exploitation attempts in the wild, with attackers attempting to read sensitive files such as /etc/environment and .aws/credentials. Millions of web applications are potentially at risk.

Recommendations Upgrade Vite to version 6.2.3 or later. If you are using Vite, ensure that the development server is not exposed to the public network. Bind the server to localhost or use firewall rules to block external access. Place the development server behind an authenticated reverse proxy or VPN. Remove credentials from local files where possible and rotate any potentially exposed credentials. Monitor web access logs and WAF/IDS for requests containing /@fs/ and query patterns containing ?raw?? or ?import&raw??.