Metrics
Affected Vendors & Products
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Tue, 23 Sep 2025 14:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | NVD-CWE-noinfo | |
CPEs | cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:* |
Wed, 26 Mar 2025 02:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Mon, 24 Mar 2025 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Mon, 24 Mar 2025 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue. | |
Title | Vite bypasses server.fs.deny when using `?raw??` | |
Weaknesses | CWE-200 CWE-284 |
|
References |
|
|
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2025-03-24T17:46:37.205Z
Reserved: 2025-03-18T18:15:13.849Z
Link: CVE-2025-30208

Updated: 2025-03-24T17:46:31.722Z

Status : Analyzed
Published: 2025-03-24T17:15:21.820
Modified: 2025-09-23T14:39:29.023
Link: CVE-2025-30208


Updated: 2025-07-12T15:26:06Z