CVE-2025-30208

CVE-2025-30208 is an arbitrary file read vulnerability in Vite development servers caused by improper handling of the @fs feature and malformed query parameters. When the dev server is exposed using –host or similar options, attackers can bypass path restrictions and read arbitrary files from the host system.

What is Vite and how does it normally operate?

Vite is a modern build tool and development server designed to enhance development experience for web projects, particularly those using JavaScript, TypeScript, or frameworks like Vue.js, React, and Svelte.

Developers use Vite to create, test, and deploy web applications. In development mode, it runs a local server that serves files and handles module imports. Developers typically start the Vite dev server locally to work on their project, editing files within the project directory.

Where the vulnerability relies

Vite supports special paths like /@fs/absolute/path to import files directly from the filesystem during development. In Vite @fs denies access to files outside of Vite serving allow list, but when adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. In this vulnerability applications with –host , server.host, config options, are affected

POC

Creating a simple file to test

echo "Hello vulnerable Vite server" | sudo tee /tmp/secret.txt

using the vulnerable payload (security bypass)

curl "http://localhost:5173/@fs/tmp/secret.txt?import?raw??"

Possible mitigations

• Never expose Vite’s dev server to the public internet.
• Upgrade Vite to the latest patched version where this bypass is fixed.
• Never run any Vite server using sudo privileges as it will allow the vulnerability to access root level files.