CVE-2025-30208 MEDIUM

CVE-2025-30208: Vite bypasses server.fs.deny when using `?raw??`

Vendor Vitejs

Product vite

Weakness CWE-200 · Info exposure

Published March 24, 2025

Last update March 24, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.

Key dates

02Disclosure timeline

March 24, 2025 CVE published

March 24, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-30208 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

Identifiers

CVE CVE-2025-30208

CWE CWE-200

CVSS 5.3 / MEDIUM

Affected versions

Vendor Vitejs

Product vite

Affected < 4.5.10

Vendor Vitejs

Product vite

Affected >= 5.0.0, < 5.4.15

Vendor Vitejs

Product vite

Affected >= 6.0.0, < 6.0.12

Vendor Vitejs

Product vite

Affected >= 6.1.0, < 6.1.2

Vendor Vitejs

Product vite

Affected >= 6.2.0, < 6.2.3

CVE-2025-30208: Vite bypasses server.fs.deny when using `?raw??`

01Description

02Disclosure timeline

03References

04Related CVE