Exploit for Improper Access Control in Vitejs Vite CVE-2025-30208

Name: Exploit for Improper Access Control in Vitejs Vite CVE-2025-30208
Rating: 5 (11 reviews)

2026-06-16 | CVSS 7.5

## https://sploitus.com/exploit?id=9349E804-9874-5D40-A4D5-7FAE1725C5AA
# CVE-2025-30208

> Using a special raw import query string on a vite dev server, a attacker can read arbitrary files

## Summary of the CVE

Vite dev servers before 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 can bypass the `server.fs.deny` file access checks for `@fs` requests. Appending `?raw??` or `?import&raw??` to an `@fs` URL returns the contents of files that should normally be blocked by the dev server allow list.

**Only applications that explicitly expose the Vite dev server to the network are affected**.
"Normal" static production builds are not affected by this vulnerability.

## Affected Versions

- Vite = 5.0.0, = 6.0.0, = 6.1.0, = 6.2.0, < 6.2.3

## References

- [Vite Security Advisory - GHSA-x574-m823-4x7w](https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w)
- [NVD - CVSS Score 7.5](https://nvd.nist.gov/vuln/detail/CVE-2025-30208)
- [Github POC - ThumpBo, Mar 2025](https://github.com/ThumpBo/CVE-2025-30208-EXP)
- [Public Docker lab - Vulhub](https://github.com/vulhub/vulhub/tree/master/vite/CVE-2025-30208)
- [CVE-details - CVSS Score 7.5](https://www.cvedetails.com/cve/CVE-2025-30208/)