Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-jxyb-k93s-g3e8
Vulnerability ID VCID-jxyb-k93s-g3e8
Aliases CVE-2025-30208
GHSA-x574-m823-4x7w
Summary Vite bypasses server.fs.deny when using ?raw?? The contents of arbitrary files can be returned to the browser.
Status Published
Exploitability 2.0
Weighted Severity 6.2
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-284 Improper Access Control
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-41 Improper Resolution of Path Equivalence
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-30208.json
epss 0.89847 https://api.first.org/data/v1/epss?cve=CVE-2025-30208
cvssv3.1 5.3 https://github.com/vitejs/vite
generic_textual MODERATE https://github.com/vitejs/vite
cvssv3.1 5.3 https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4
generic_textual MODERATE https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4
ssvc Track https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4
cvssv3.1 5.3 https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c
generic_textual MODERATE https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c
ssvc Track https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c
cvssv3.1 5.3 https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41
generic_textual MODERATE https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41
ssvc Track https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41
cvssv3.1 5.3 https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca
generic_textual MODERATE https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca
ssvc Track https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca
cvssv3.1 5.3 https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1
generic_textual MODERATE https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1
ssvc Track https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1
cvssv3.1 5.3 https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w
generic_textual MODERATE https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w
ssvc Track https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2025-30208
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-30208
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-30208.json
https://api.first.org/data/v1/epss?cve=CVE-2025-30208
https://github.com/vitejs/vite
https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4
https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c
https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41
https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca
https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1
2354598 https://bugzilla.redhat.com/show_bug.cgi?id=2354598
CVE-2025-30208 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/52111.py
CVE-2025-30208 https://nvd.nist.gov/vuln/detail/CVE-2025-30208
GHSA-x574-m823-4x7w https://github.com/advisories/GHSA-x574-m823-4x7w
GHSA-x574-m823-4x7w https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w
Data source Exploit-DB
Date added April 3, 2025
Description Vite 6.2.2 - Arbitrary File Read
Ransomware campaign use Unknown
Source publication date April 3, 2025
Exploit type remote
Platform multiple
Source update date April 3, 2025
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-30208.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/vitejs/vite
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-24T17:40:42Z/ Found at https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-24T17:40:42Z/ Found at https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-24T17:40:42Z/ Found at https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-24T17:40:42Z/ Found at https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-24T17:40:42Z/ Found at https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-24T17:40:42Z/ Found at https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-30208
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.99592
EPSS Score 0.89847
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:23:39.593668+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2025-30208.yml 38.6.0