Location>code7788 >text

Vite CVE-2025-30208 Security Vulnerability

Popularity:878 ℃/2025-03-27 10:01:18

Vite CVE-2025-30208 Security Vulnerability

1. Overview of vulnerabilities

CVE-2025-30208Is a security vulnerability in Vite, a front-end development tool provider, in a specific version. This vulnerability allows an attacker to bypass access restrictions on the file system through special URL parameters, thereby obtaining arbitrary file content (including files outside the scope of the Vite service directory).

1. The principle of vulnerability

  • Vite provides @fs in development server mode for accessing files within the scope of the service.
  • 403 Restricted should have been returned for out-of-range file requests; however, the original check can be bypassed when adding ?raw?? or ?import&raw?? to the request URL.
  • This is because the end delimiter like ? is removed in multiple processing steps, but this is not considered in the regular match of the query string; an attacker can use this flaw to read the contents of the target file.

2. Vulnerability impact

  • In a specific configuration, an attacker can access files anywhere on the server (such as /tmp/) and return the content to the browser.
  • Only inExplicitly expose the Vite development server(If using --host or configuring external accessibility in ) the external request can be initiated directly for file reading.
  • If the file contains sensitive data (such as credentials, configurations, etc.), information leakage may occur.

2. Affected Scope

1. Affect version

According to official and community information, the following Vite versions have this vulnerability:

  • = 6.2.0, <= 6.2.2

  • = 6.1.0, <= 6.1.1

  • = 6.0.0, <= 6.0.11

  • = 5.0.0, <= 5.4.14

  • <= 4.5.9

To put it more generally: versions before 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10.

2. Repair version

  • 6.2.3And above
  • 6.1.2
  • 6.0.12
  • 5.4.15
  • 4.5.10

This vulnerability has been fixed only in the above and later versions.

3. Affected deployment methods

  • In production or external environmentRun Vite Dev Server and use --host or enable external network access using external network.

4. Unaffected scenarios

  • Use Vite in a local development environment and do not expose the ports; only access localhost by yourself.
  • The code has been packaged and handed over to server agents such as Nginx/Tomcat/Egg, for production environmentNoneTurn on Vite Dev Server.
  • Use the fixed version of Vite.

3. Causes of loopholes

  • Core issues: When the request URL has ending delimiters such as ?raw?? / ?import&raw??, the logic of removing the ending delimiters of the ? ending delimiters in Vite is inconsistent with the processing of the regular mismatch of the query string, resulting in the "403" limit when accessing files that exceed the allowable list is bypassed.

IV. Vulnerability exploitation examples

Take the official PoC as an example:

  1. Under normal circumstances, accesshttp://localhost:5173/@fs/tmp/Will return:
403 Restricted
The request url "/tmp/" is outside of Vite serving allow list.
  1. But add ?import&raw?? after the request:
curl "http://localhost:5173/@fs/tmp/?import&raw??"

The return result will be the contents of the file, for example:

export default "top secret content\n"
//# sourceMappingURL=data:application/json;...

5. Repair and relief

1. Upgrade to the secure version

  • Upgrade to Vite now6.2.3 / 6.1.2 / 6.0.12 / 5.4.15 / 4.5.10or later for official patching.

2. Temporary measures

If the upgrade is temporarily unavailable, the following measures can be taken:

  • Don't be open in production environment Vite Dev ServerExternal access; only used on the intranet or local.
  • Limit access scope: Do IP restrictions in the firewall or Nginx layer to ensure that only trusted IPs can be accessed.
  • Strictly check routing requests: Intercept requests containing the words ?raw?? / ?import&raw?? at the proxy layer to block direct connection access to Vite Dev Server.

6. Timeline (example)

  • 2025-03-24: CVE-2025-30208 Public on NVD
  • 2025-03-25: Community and official confirmation affecting the version and repair methods
  • 2025-03-26: Vite publishes multiple Commit repairs and corresponding Advisory
  • 2025-03-27: The fixed version (6.2.3, 6.1.2, etc.) is officially launched and users are notified to upgrade

7. Summary

CVE-2025-30208It demonstrates the importance of security control in front-end development servers - even if it is only used for development and debugging, it may lead to information leakage risks due to accidental exposure.

For this vulnerability,The safest way to do itIt's in the production environmentAvoid using Vite Dev Server directly,at the same timeUpgrade to the official fix version. For intranet or test scenarios, make sure to enable external access only in trusted networks or configure stricter access restrictions for Vite Dev Server.

  • If you only use Vite in local/development environment: There is no "Vite Dev Server" online, so it will not be affected by this vulnerability.
  • If it is also exposed to the production environment Vite Dev Server: It is necessary to upgrade to the repair version of Vite, or at least ensure that the debugging service is not open to the public.

Reference link

  • NVD - CVE-2025-30208
  • GitHub Advisory GHSA-x574-m823-4x7w
  • Vite Official Commits (Multiple)
<Previous Next>