
Jul 31, 2025
CVE-2025-30208 – Vite Arbitrary File Read via @fs Path Traversal Bypass
Discover CVE-2025-30208, a critical arbitrary file read vulnerability in the Vite development server. Learn how remote attackers exploit @fs URL handling to access sensitive files.
Overview
CVE-2025-30208 is an arbitrary file read vulnerability in the Vite development server. This vulnerability allows remote, unauthenticated attackers to access arbitrary files on the server’s filesystem by abusing Vite’s @fs URL handling.
- CVE ID: CVE-2025-30208
- Severity: Medium
- CVSS Score: 5.3
- EPSS Score: 75.83%
- Impact: Information Disclosure
- Attack Vector: Network
- Authentication Required: No
- Vulnerable Component: @fs path handler in the Vite Dev Server
This issue affects applications running Vite in development mode, exposing sensitive server-side files if the dev server is accessible remotely.
Technical Breakdown
Vite supports special paths like /@fs/absolute/path to import files directly from the filesystem during development. Normally, Vite restricts access to files outside its allow list (i.e., project root).
However, by appending ?import&raw?? to the request, an attacker can bypass this protection and force Vite to read and return arbitrary file contents as a raw ES module export.
Conditions for Exploitation
- The application is running Vite dev server (typically on port 5173).
- The server is remotely accessible (e.g., exposed over the internet or intranet).
- The attacker can issue crafted HTTP GET requests to the dev server.
- The target file is readable by the user running the Vite process.
Vulnerable Code Behavior
Expected behavior:
$ curl "http://localhost:5173/@fs/etc/passwd"
# => 403 Restricted
Security bypass (vulnerable):
$ curl "http://localhost:5173/@fs/etc/passwd?import&raw??"
# Response
export default "root:x:0:0:root:/root:/bin/bash\nuser:x:1000:1000:user:/home/user:/bin/bash\n";
//# sourceMappingURL=data:application/json;base64,...
The double question marks (??) confuse Vite’s import parser, bypassing the default allow list restriction and enabling arbitrary file disclosure. The server responds with file content wrapped in an ES module export default.
Mitigation
- Never expose Vite’s dev server to the public internet.
- Upgrade Vite to the latest patched version where this bypass is fixed.
- Consider running the dev server behind a local-only proxy or with strict firewall rules.
References
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!