Vite Arbitrary File Read Vulnerability (CVE-2025-30208)

Apr 01, 2025 GMT+08:00

I. Overview

A recently discovered arbitrary file read vulnerability (CVE-2025-30208) has been addressed in a new release of Vite. This security vulnerability affects Vite's development mode when the server is exposed to external networks, which occurs when the npm run dev -host command is utilized or the server.host option is configured. Under these conditions, a remote attacker can potentially bypass the @fs path access restrictions by appending the specific query parameters ?__raw?? or ?import&raw?? to a URL. Successful exploitation of this vulnerability could allow an attacker to read any file residing on the server. The POC of the vulnerability has been disclosed, and the risk is high.

Vite is a front-end development tool designed to offer a rapid development server experience coupled with efficient build processes. It is a popular choice for developing Vue.js applications. If you are a Vite user, check your Vite versions and implement timely security hardening.

Reference link:

https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w

https://nvd.nist.gov/vuln/detail/CVE-2025-30208

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

6.2.0 <= Vite <= 6.2.2

6.1.0 <= Vite <= 6.1.1

6.0.0 <= Vite <= 6.0.11

5.0.0 <= Vite <= 5.4.14

Vite <= 4.5.9

Secure versions:

6.2.3 <= Vite

6.1.2 <= Vite < 6.2.0

6.0.12 <= Vite < 6.1.0

5.4.15 <= Vite < 6.0.0

4.5.10 <= Vite < 5.0.0

IV. Vulnerability Handling

1. This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://github.com/vitejs/vite/releases

2. Mitigation measures:

If a timely upgrade cannot be performed, you can mitigate this vulnerability by limiting access to the Vite development server.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.