CVE-2025-30208

CVE-2025-30208 is a vulnerability in Vite, a frontend development tooling provider, affecting versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. The issue lies in the `@fs` module, which is designed to deny access to files outside Vite's serving allow list. However, appending `?raw??` or `?import&raw??` to a URL bypasses this restriction, allowing the contents of arbitrary files to be returned to the browser if they exist. This occurs because trailing separators like `?` are stripped in several code paths but not properly accounted for in query string regexes.

The vulnerability can be exploited by remote attackers with network access to a Vite development server explicitly exposed via the `--host` flag or `server.host` configuration option. Exploitation requires high attack complexity and user interaction, such as tricking a user into visiting a crafted URL (CVSS 5.3: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N). Successful attacks enable arbitrary file disclosure, resulting in high confidentiality impact through exposure of sensitive file contents like configuration files or source code directly to the browser.

Mitigation is available in the fixed versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. Patch details are provided in the following Vite GitHub commits: https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4, https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c, https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41, https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca, and https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1. Affected deployments should upgrade immediately and avoid exposing dev servers to untrusted networks.