Home/CVE/Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15,
CVE

CVE-2025-30208

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15,

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.

MEDIUM · CVSS 5.3 EPSS 0.89847
Act now
  • EPSS ≥ 0.50 - high probability of exploitation in the next 30 days
  • EPSS percentile: top 0% of all CVEs by exploitation likelihood
  • Public exploit or PoC is available
Sigma rules0 YARA rules0

Weakness Classification

CWE-200Exposure of Sensitive Information to an Unauthorized Actor
CWE-284Improper Access Control

Affected Products & Versions

5
vitejs vite< 4.5.10
vitejs vite>= 5.0.0 and < 5.4.15
vitejs vite>= 6.0.0 and < 6.0.12
vitejs vite>= 6.1.0 and < 6.1.2
vitejs vite>= 6.2.0 and < 6.2.3

Affected Packages

1
Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.
npm vite MODERATE fixed in 6.2.3

Public Exploits & PoCs

3
remoteVite 6.2.2 - Arbitrary File Read2025-04-03
nucleiVite - Arbitrary File Readmedium
pocgithub.com · GHSA-x574-m823-4x7wgithub.com

Detection Rules (IDS/IPS)

1
et-openET WEB_SPECIFIC_APPS Vite Arbitrary File Read Via raw parameter (CVE-2025-30208)attempted-admin
Open rulesets (ET Open, Snort Community, abuse.ch) link to source. Commercial rulesets are reference-only.

Scoring & Timeline

5.3
MEDIUM · CVSS v3.1 · security-advisories@github.com
View on NVD
Attack Vector
Network Adjacent Local Physical
Attack Complexity
Low High
Privileges Required
None Low High
User Interaction
None Required
Scope
Unchanged Changed
Confidentiality
None Low High
Integrity
None Low High
Availability
None Low High
Published to NVD24 Mar 2025 · 05:15 PM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
SSVC triage · cisa-vulnrichment
Exploitation
poc
Automatable
no
Technical impact
partial
SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.
🔗

References & Sources

5
Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.
https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4Patch
https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803cPatch
https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41Patch
https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07caPatch
https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1Patch
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
NVDCVE.orgCISAVulnersExploit-DBGitHub PoCVulnCheck KEVGreyNoise
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin