CVE-2025-30208 Scanner

Vite is a modern frontend build tool and development server used by developers to enhance web application development with fast hot module replacement and pre-bundling of dependencies. It is widely adopted by frontend teams and developers building single-page applications or modern websites using frameworks like Vue, React, and Svelte. Vite is often used in both open-source and enterprise environments to streamline the frontend build pipeline. During development, Vite can expose its server for testing across local networks or cloud environments. The dev server is accessible via browser and supports serving files and modules under specific constraints. When improperly configured, it may be exposed to public networks, increasing the attack surface.

The vulnerability in Vite allows an attacker to perform arbitrary file read operations through specially crafted URL parameters. When a user accesses a path with the `?raw` or `?import&raw` query string, Vite improperly parses the request and may return the content of files outside the intended serve allowlist. The issue arises due to a flaw in how query strings with trailing characters like `?` are processed, bypassing existing regex-based validations. This flaw results in a security loophole that makes sensitive files readable through HTTP requests when the dev server is accessible from the internet. Only applications exposing the Vite development server externally are at risk.

The technical root of the issue lies in Vite’s handling of the `@fs` route, which is meant to restrict access to certain directories. An attacker may exploit the flaw by appending `?raw` or similar payloads to paths referencing sensitive files such as `/etc/passwd` or Windows system files. Due to improper stripping of trailing query characters, Vite fails to apply proper path validation, inadvertently exposing file contents. The vulnerability can be verified by making crafted GET requests and checking if known file signatures such as "root:" or "Microsoft Corp" are returned in the response body. This behavior confirms unauthorized file access and potential leakage of confidential system information.

If successfully exploited, this vulnerability allows attackers to read arbitrary files from the server’s filesystem. This may lead to the exposure of sensitive information such as configuration files, environment variables, credentials, or proprietary source code. In environments where the dev server has access to production-level configurations or is misused beyond development, this could lead to significant data breaches. It also opens the door to further attacks if critical secrets are retrieved. Such exposure could compromise both the integrity and confidentiality of the system.

REFERENCES

• https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w
• https://nvd.nist.gov/vuln/detail/CVE-2025-30208