Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-30208
CVE-2025-30208:
JavaScript vulnerability analysis and mitigation
Overview
Vite, a provider of frontend development tooling, disclosed a vulnerability (CVE-2025-30208) affecting versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. The vulnerability was discovered on March 24, 2025, and allows attackers to bypass file system restrictions in the Vite development server. The vulnerability affects applications that explicitly expose the Vite dev server to the network using the --host or server.host configuration option (NVD, GitHub Advisory).
Technical details
The vulnerability exists in Vite's @fs functionality which normally denies access to files outside of the Vite serving allow list. By adding ?raw?? or ?import&raw?? to the URL, attackers can bypass this limitation. The bypass occurs because trailing separators such as ? are removed in several places but are not properly accounted for in query string regular expressions. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (NVD, Security Online).
Impact
When exploited, this vulnerability allows attackers to access and return the contents of arbitrary files to the browser that should be restricted. This poses a significant security risk for applications that expose their Vite development server to the network, as sensitive information could be exposed to unauthorized users (GitHub Advisory, Security Online).
Mitigation and workarounds
The vulnerability has been patched in Vite versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. Users are strongly advised to upgrade to these patched versions. As a general security practice, it is recommended to avoid exposing development servers to the network whenever possible (NVD, GitHub Advisory).
Community reactions
The security community has responded with concern to this vulnerability, particularly given the widespread use of Vite in modern web development. The issue has gained significant attention due to the release of a proof-of-concept exploit and the potential impact on exposed development servers (Security Online).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management