{"repro_id":"REPRO-2026-00195","version":8,"title":"Vite dev server access control can be bypassed using crafted query strings, allowing arbitrary file reads via the @fs handler when the dev server is exposed to the network.","repro_type":"security","status":"published","severity":"medium","cvss_score":5.3,"description":"Vite’s dev server `@fs` access control can be bypassed by appending crafted query strings such as `?raw??` or `?import&raw??`, allowing reading arbitrary files outside the allowed serving list when the dev server is exposed to the network.","cve_id":"CVE-2025-30208","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30208","package":{"name":"vite","ecosystem":"npm","affected_versions":">= 6.2.0 < 6.2.3, >= 6.1.0 < 6.1.2, >= 6.0.0 < 6.0.12, >= 5.0.0 < 5.4.15, < 4.5.10","fixed_version":"6.2.3, 6.1.2, 6.0.12, 5.4.15, 4.5.10"},"reproduced_at":"2026-07-01T22:39:41.418960+00:00","duration_secs":1391.0,"tool_calls":258,"handoffs":3,"total_cost_usd":4.123839980000002,"agent_costs":{"coding":1.5838485000000009,"judge":0.016444399999999998,"repro":1.18908951,"support":0.04336158,"vuln_variant":1.29109599},"cost_breakdown":{"coding":{"accounts/fireworks/routers/glm-5p2-fast":1.5838485000000009},"judge":{"gpt-5.4-mini":0.016444399999999998},"repro":{"accounts/fireworks/routers/glm-5p2-fast":1.18908951},"support":{"accounts/fireworks/routers/glm-5p2-fast":0.04336158},"vuln_variant":{"accounts/fireworks/routers/glm-5p2-fast":1.29109599}},"quality":{"confidence":"high","idempotent_verified":false,"community_verifications":0},"published_at":"2026-07-01T22:39:42.320203+00:00","retracted":false,"artifacts":[{"path":"bundle/repro/reproduction_steps.sh","filename":"reproduction_steps.sh","size":12787,"category":"reproduction_script"},{"path":"bundle/repro/rca_report.md","filename":"rca_report.md","size":11916,"category":"analysis"},{"path":"bundle/repro/runtime_manifest.json","filename":"runtime_manifest.json","size":1066,"category":"other"},{"path":"bundle/repro/validation_verdict.json","filename":"validation_verdict.json","size":967,"category":"other"},{"path":"bundle/ticket.json","filename":"ticket.json","size":3322,"category":"other"},{"path":"bundle/ticket.md","filename":"ticket.md","size":2836,"category":"ticket"},{"path":"bundle/logs/vuln_server.log","filename":"vuln_server.log","size":397,"category":"log"},{"path":"bundle/logs/fixed_server.log","filename":"fixed_server.log","size":398,"category":"log"},{"path":"bundle/logs/result.txt","filename":"result.txt","size":301,"category":"other"}]}