AI description
CVE-2025-30208 is a vulnerability affecting Vite, a frontend development tool. It exists in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. The vulnerability allows bypassing file access restrictions, which are normally in place to prevent access to files outside of a specified allow list. The bypass is achieved by adding "?raw??" or "?import&raw??" to the URL, which circumvents the intended restrictions and returns the file content. This occurs because trailing separators, such as "?", are removed in certain parts of the code but are not properly accounted for in query string regexes. Only applications that explicitly expose the Vite development server to the network (using the `--host` or `server.host` configuration options) are affected.
- Description
- Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- vite
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-200
- nvd@nist.gov
- NVD-CWE-noinfo
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
9
CVE-2025-30208 (ViteJS Arbitrary File Read) + Leaked JWT Secrets = Full Admin Takeover ⚡️.Used Vitejs path traversal to exfiltrate .env & .tmp/data.db then generated forged tokens -> Unauthenticated access to /admin. Patch Now 🚨 #BugBounty #EthicalHacking #bugbounty
@0x0smilex
7 Feb 2026
5029 Impressions
15 Retweets
126 Likes
69 Bookmarks
0 Replies
0 Quotes
Huge thanks to @0m3rexe for responsibly disclosing a vulnerability related to CVE-2025-30208 in my setup at https://t.co/nvyVWvvVBy 🛡️ He provided a clear proof-of-concept and verified the patch quickly. If you need a professional security researcher, check him out! #infose
@Mobilpadde
28 Jan 2026
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
https://t.co/nZnFiadgaq - This article details the discovery of a high severity vulnerability (CVE-2025-30208) by security researcher https://t.co/8AOCpxT52y during a (1/3)
@BugBountyShorts
17 Oct 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
https://t.co/nZnFiadgaq - This article details the discovery of a high severity vulnerability (CVE-2025-30208) by security researcher https://t.co/8AOCpxT52y during a (1/3)
@BugBountyShorts
16 Oct 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Upcoming CVE & Bug Bounty POC Breakdowns I’ve been working on detailed breakdowns of some new vulnerabilities: CVE-2025-0133 : XSS CVE-2025-53833 : SSTI CVE-2025-30208 : Local File Inclusion All videos will premiere soon on YouTube. 🔗 Watch here: https://t.co/7Rb8lWD
@h4x0r_fr34k
11 Sept 2025
678 Impressions
2 Retweets
10 Likes
2 Bookmarks
0 Replies
0 Quotes
Upcoming CVE & Bug Bounty POC Breakdowns I’ve been working on detailed breakdowns of some new vulnerabilities: CVE-2025-0133 : XSS (Citrix Logout XSS) CVE-2025-53833 : SSTI CVE-2025-30208 : Local File Inclusion All videos will premiere soon on YouTube. 🔗 Watch here: h
@h4x0r_fr34k
11 Sept 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-30208: Vite, vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation https://t.co/lR0CgEPuUU… https://t.co
@sirjameshackz
2 Sept 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Dragon Drop: New CVE Labs 🪲🚨🔥 → CVE-2025-30208_Attack: https://t.co/TkdbA1zJIh → Defend CVE-2025-30208: https://t.co/LnMQNH7S2Q → CVE-2024-55963_Attack: https://t.co/I9bM6nx76K → Defend CVE-2024-55963: https://t.co/8YuS2rGG2o → CVE-2024-39914_Attack: https://t
@offsectraining
7 Aug 2025
3885 Impressions
3 Retweets
27 Likes
13 Bookmarks
0 Replies
0 Quotes
#CVE-2025-30208 – #Vite #Arbitrary_File_Read via @fs #Path_Traversal_Bypass https://t.co/pB8Rv00mqo https://t.co/QkeS1t10iJ
@omvapt
3 Aug 2025
48 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-30208 – Vite Arbitrary File Read via @fs Path Traversal Bypass https://t.co/ge3P6IepG7
@DemolisherDigi
31 Jul 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-30208 : A PoC of the exploit script for the Arbitrary File Read vulnerability of Vite App https://t.co/UcNHhUh5vg
@freedomhack101
26 Jun 2025
105 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
⚠️ A critical file read vulnerability (CVE-2025-30208) in Vite allows attackers to read sensitive files through crafted URLs. Vite users: upgrade to patched versions and ensure your dev servers aren’t exposed online! Stay secure! #Vite #CyberSecurity #In… https://t.co/edH
@prod42net
9 Jun 2025
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
"Vite File Read Vulnerability Exposed (CVE-2025-30208)" by Sharon #DEVCommunity #vulnerabilities #websecurity #cybersecurity https://t.co/thKa8k5voA
@Sharon18866
9 Jun 2025
61 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-30208: Vite, vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation https://t.co/XvkCx3je7P https://t.co/xC
@cyber_advising
6 Jun 2025
367 Impressions
1 Retweet
0 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2025-30208 - Vite Arbitrary File Read vulnerability https://t.co/0rlmkoEvTf https://t.co/jWOVQGAV24
@SirajD_Official
5 May 2025
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-30208 - Vite Arbitrary File Read vulnerability https://t.co/WuIXKjMogd https://t.co/gPKwbS1B7i
@shbertin
25 Apr 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-30208 - Vite Arbitrary File Read vulnerability https://t.co/yuRhEuVeTT https://t.co/FhlxoroNVj
@mayurk21
18 Apr 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-30208 - Vite Arbitrary File Read vulnerability https://t.co/Mw0KEYuhut https://t.co/jnnvxhBDnC
@IdentityJason
16 Apr 2025
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
vite 部分版本在 dev 环境存在文件读取漏洞CVE-2025-30208,请勿将开发环境用于生产环境。解决办法:升级到最新版本。 https://t.co/5Xh0hZcO2J
@tsoiaf2023
16 Apr 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#ThreatProtection #CVE-2025-30208 - #Vite Arbitrary File Read #vulnerability, read more about Symantec's protection: https://t.co/thXYs1iOlO
@threatintel
15 Apr 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
The @AngleProtocol front-end has a CVE-2025-30208 vulnerability. DO NOT INTERACT WITH IT! An official rejected claims of a vulnerability with a curt “Nope”, offering no reason. Stay Vigilant! https://t.co/JhiLHigsTf
@SuplabsYi
12 Apr 2025
1814 Impressions
2 Retweets
23 Likes
5 Bookmarks
2 Replies
1 Quote
CVE-2025-30208 affects #Vite (prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, 4.5.10). When exposed to the network (--host flag), it allows arbitrary file read: `/etc/passwd`or `C:\Windows\win.ini` by appending `?raw??` or `?import&raw??`. PoC: http://1.2.3.4/etc/passwd?raw?? #BugBou
@nav1n0x
1 Apr 2025
14758 Impressions
57 Retweets
296 Likes
165 Bookmarks
3 Replies
2 Quotes
#exploit 1. CCleaner LPE Vulnerability on macOS https://t.co/AhFwhrZmoE 2. CVE-2025-0868: Arbitrary Command Injection in DocsGPT https://t.co/zSOBS4KF9n 3. CVE-2025-30208: Vite Arbitrary File Read vulnerability https://t.co/NcQDeoVijy
@ksg93rd
1 Apr 2025
93 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Vite Security Issue CVE-2025-30208: Critical Flaw Exposed https://t.co/eYribivpaq https://t.co/QnMPZA9JCH
@huntingjacq
29 Mar 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
サークルで作って更新してなかったサービスが CVE-2025-30208 の攻撃受けてた、やばすぎ! すぐ直したし漏洩して困る情報は特にないけど...
@a01sa01to
28 Mar 2025
146 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
フロントエンドツール Viteで任意ファイルの読み取りが可能な脆弱性(CVE-2025-30208) #セキュリティ対策Lab #セキュリティ #Security https://t.co/FLZZkgHWV8
@securityLab_jp
28 Mar 2025
31 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 Millions of web apps at risk! A PoC exploit for Vite (CVE-2025-30208) allows unauthorized file access via URL parameters. Users must update affected versions to protect sensitive data. ⚠️ #Vite #WebSecurity #USA link: https://t.co/IX4Cn2P84x https://t.co/Sn9mIViyqu
@TweetThreatNews
27 Mar 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Do you know Vite's latest CVE-2025-30208 is a follow-up and patch bypass of a old issue? https://t.co/VZlpIPKbwW The old issue doesn't have a CVE id, but you still can reproduce it via #Vulhub https://t.co/G0dwsLpcW9 https://t.co/b8wzponsjW
@phithon_xg
27 Mar 2025
4526 Impressions
7 Retweets
60 Likes
31 Bookmarks
2 Replies
1 Quote
Vite任意文件读取漏洞(CVE-2025-30208) 感觉可以拿来搞其它前端开发的同事,比如读取他的.ssh/id_rsa 各位前端朋友记得赶快升级 https://t.co/lOpAqpKTf9
@changwei1006
27 Mar 2025
707 Impressions
0 Retweets
3 Likes
3 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨 CVE-2025-30208:Vite Development Server Arbitrary File Read 🔥PoC:https://t.co/EDCjk8PItk 🧐EXP from @AabyssZG :https://t.co/20H7tFXrLK 📊 277K+ Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter Link:https://t.co/qafv4mcEr6 👇Query HUNTER : https://t.co/
@HunterMapping
27 Mar 2025
1379 Impressions
4 Retweets
13 Likes
6 Bookmarks
0 Replies
0 Quotes
Vite Development Server Arbitrary File Read (CVE-2025-30208) Use #Vulhub to reproduce it: https://t.co/U51vXlGNae https://t.co/liua9DIQxM
@phithon_xg
26 Mar 2025
2999 Impressions
14 Retweets
35 Likes
13 Bookmarks
0 Replies
0 Quotes
安全圈过年啦,师傅们帮忙点个Star🤯 本项目利用Vite开发服务器任意文件读取漏洞(CVE-2025-30208)尝试读取 /root/.bash_history 历史命令文件,并提取出其中可能包含的账号密码,Github地址:https://t.co/JvzfDzTk0f
@AabyssZG
26 Mar 2025
7011 Impressions
20 Retweets
91 Likes
39 Bookmarks
1 Reply
2 Quotes
⚡️The vulnerability details are now available: https://t.co/wwmqX4y7TX 🚨🚨Vite frontend tool hit with CVE-2025-30208! Just slap ?raw?? or ?import&raw?? onto the URL to bypass restrictions and snag any file. If your Vite dev server is exposed online (using --host or https:/
@zoomeye_team
26 Mar 2025
2090 Impressions
3 Retweets
15 Likes
8 Bookmarks
2 Replies
1 Quote
CVE-2025-30208 Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outs… https://t.co/VazTE18hZ6
@CVEnew
24 Mar 2025
371 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "A925DA49-0EFD-4E21-948C-FE4A45E9A58D",
"versionEndExcluding": "4.5.10"
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "444AFEE6-1ED5-42A7-AC6D-0D1D829178DB",
"versionEndExcluding": "5.4.15",
"versionStartIncluding": "5.0.0"
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "ABD9AA82-191F-45F4-BDF5-D3FAC0DD0D66",
"versionEndExcluding": "6.0.12",
"versionStartIncluding": "6.0.0"
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "932B0FAC-8C56-43F5-8F2E-322544BD7272",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "6.1.0"
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "578CF5D6-71AF-4A3B-BD07-D4C0A04C443A",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "6.2.0"
}
],
"operator": "OR"
}
]
}
]