CVE-2025-30208

Name of the Vulnerable Software and Affected Versions Vite versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10

Description Vite, a frontend development tooling provider, has a file access bypass issue. The @fs mechanism is designed to restrict access to files outside of the Vite serving allow list. However, appending ?raw?? or ?import&raw?? to a URL bypasses this limitation, potentially returning the content of arbitrary files if they exist. This bypass occurs because trailing separators, such as ?, are removed in multiple places but are not properly accounted for in the query string regexes. This allows an attacker to read arbitrary files on the system. The vulnerability is exploitable when the Vite development server is exposed to the network using the --host or server.host configuration option. Millions of web applications may be at risk. The vulnerability can be exploited by crafting a specific URL, such as /@fs/etc/passwd?raw?? on Linux systems or /@fs/C://windows/win.ini?import&raw?? on Windows systems.

Recommendations Update to Vite version 6.2.3 or later. Update to Vite version 6.1.2 or later. Update to Vite version 6.0.12 or later. Update to Vite version 5.4.15 or later. Update to Vite version 4.5.10 or later.