一、 漏洞 CVE-2025-30208 基础信息
漏洞信息
# Vite 在使用 `?raw??` 时绕过 server.fs.deny 配置
## 漏洞描述
### 概述
Vite是一款前端开发工具,在某些旧版本中存在一个漏洞,允许攻击者绕过文件访问限制并读取任意文件。
### 影响版本
- 版本早于6.2.3, 6.1.2, 6.0.12, 5.4.15 和 4.5.10。
### 细节
在这些受影响的版本中,通过`@fs`接口可以访问Vite服务允许列表中的文件。但是添加特殊参数(如`?raw??`或`?import&raw??`)到URL时,会绕过这些限制,返回任意存在的文件内容。这是因为处理URL附加参数时删除了尾随分隔符(`?`),但没有考虑查询字符串的正则表达式。
### 影响
- 只有使用 `--host` 或配置选项 `server.host` 显式暴露Vite开发服务器到网络的应用受此漏洞影响。
- 修复版本:6.2.3, 6.1.2, 6.0.12, 5.4.15 和 4.5.10。
神龙判断
是否为 Web 类漏洞: 否
判断理由:
否。这个漏洞存在于Vite的前端开发工具中,并影响其开发服务器的安全性。具体来说,该漏洞允许攻击者通过特定的URL查询参数(例如`?raw??`或`?import&raw??`)绕过文件访问限制,获取本应被阻止访问的文件内容。然而,这主要影响的是在开发环境中使用的Vite开发服务器,特别是那些通过`--host`或`server.host`配置选项将开发服务器暴露在网络上的应用。因此,这个问题更偏向于开发环境配置和前端开发工具的安全性问题,而非典型的Web服务端漏洞。
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Vite bypasses server.fs.deny when using `?raw??`
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
来源:美国国家漏洞数据库 NVD
漏洞类别
信息暴露
来源:美国国家漏洞数据库 NVD
漏洞标题
Vite 访问控制错误漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Vite是Vite开源的一种新型的前端构建工具。 Vite存在访问控制错误漏洞,该漏洞源于URL中的`?raw??`或`?import&raw??`可以绕过文件访问限制,返回任意文件内容。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
授权问题
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2025-30208 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | 最新的CVE-2025-30208的poc(这个仓库主要拿来写实战src的一些自己写的bypass-waf的脚本以及搜集的干货博主) | https://github.com/LiChaser/CVE-2025-30208 | POC详情 |
| 2 | 全网首发 The first Vite scanner on the entire network Automatic target asset collection via FOFA Multi-threaded concurrent scanning Automatic CSV report generation | https://github.com/xuemian168/CVE-2025-30208 | POC详情 |
| 3 | CVE-2025-30208-EXP | https://github.com/ThumpBo/CVE-2025-30208-EXP | POC详情 |
| 4 | CVE-2025-30208 检测工具。python script && nuclei template | https://github.com/xaitx/CVE-2025-30208 | POC详情 |
| 5 | CVE-2025-30208漏洞验证工具 | https://github.com/kk12-30/CVE-2025-30208 | POC详情 |
| 6 | CVE-2025-30208 任意文件读取漏洞快速验证 | https://github.com/YuanBenSir/CVE-2025-30208_POC | POC详情 |
| 7 | CVE-2025-30208-EXP 任意文件读取 | https://github.com/marino-admin/Vite-CVE-2025-30208-Scanner | POC详情 |
| 8 | CVE-2025-30208动态检测脚本,支持默认路径,自定义路径动态检测 | https://github.com/iSee857/CVE-2025-30208-PoC | POC详情 |
| 9 | This exploit is for educational and ethical security testing purposes only. The use of this exploit against targets without prior mutual consent is illegal, and the developer disclaims any liability for misuse or damage caused by this exploit. | https://github.com/On1onss/CVE-2025-30208-LFI | POC详情 |
| 10 | CVE-2025-30208 | Vite脚本 | https://github.com/sadhfdw129/CVE-2025-30208-Vite | POC详情 |
| 11 | CVE-2025-30208 ViteVulnScanner | https://github.com/keklick1337/CVE-2025-30208-ViteVulnScanner | POC详情 |
| 12 | A PoC of the exploit script for the Arbitrary File Read vulnerability of Vite /@fs/ Path Traversal in the transformMiddleware (CVE-2025-30208). | https://github.com/4xura/CVE-2025-30208 | POC详情 |
| 13 | 针对CVE-2025-30208和CVE-2025-31125的漏洞利用 | https://github.com/jackieya/ViteVulScan | POC详情 |
| 14 | None | https://github.com/0xshaheen/CVE-2025-30208 | POC详情 |
| 15 | mass scan for CVE-2025-30208 | https://github.com/sumeet-darekar/CVE-2025-30208 | POC详情 |
| 16 | CVE-2025-30208 - Vite Arbitrary File Read PoC | https://github.com/4m3rr0r/CVE-2025-30208-PoC | POC详情 |
| 17 | Vite-CVE-2025-30208-EXP单目标检测,支持自定义读取路径,深度检索 | https://github.com/lilil3333/Vite-CVE-2025-30208-EXP | POC详情 |
| 18 | Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-30208.yaml | POC详情 |
| 19 | None | https://github.com/Threekiii/Awesome-POC/blob/master/%E5%BC%80%E5%8F%91%E6%A1%86%E6%9E%B6%E6%BC%8F%E6%B4%9E/Vite%20%E5%BC%80%E5%8F%91%E6%9C%8D%E5%8A%A1%E5%99%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%20CVE-2025-30208.md | POC详情 |
| 20 | https://github.com/vulhub/vulhub/blob/master/vite/CVE-2025-30208/README.md | POC详情 | |
| 21 | CVE-2025-30208 vite file read nuclei template | https://github.com/imbas007/CVE-2025-30208-template | POC详情 |
| 22 | Analysis of the Reproduction of CVE-2025-30208 Series Vulnerabilities | https://github.com/r0ngy40/CVE-2025-30208-Series | POC详情 |
| 23 | None | https://github.com/nkuty/CVE-2025-30208-31125-31486-32395 | POC详情 |
| 24 | POC | https://github.com/HaGsec/CVE-2025-30208 | POC详情 |
| 25 | CVE-2025-30208 | https://github.com/B1ack4sh/Blackash-CVE-2025-30208 | POC详情 |
| 26 | CVE‑2025‑30208 is a medium-severity arbitrary file read vulnerability in the Vite development server (a popular frontend build tool) | https://github.com/ThemeHackers/CVE-2025-30208 | POC详情 |
| 27 | CVE‑2025‑30208 is a medium-severity arbitrary file read vulnerability in the Vite development server (a popular frontend build tool) | https://github.com/TH-SecForge/CVE-2025-30208 | POC详情 |
| 28 | CVE-2025-30208 | https://github.com/gonn4cry/CVE-2025-30208 | POC详情 |
| 29 | 🛠️ Detect and exploit the Vite development server's arbitrary file read vulnerability (CVE-2025-30208) with customizable options for effective scanning. | https://github.com/Dany60-98/CVE-2025-30208-EXP | POC详情 |
| 30 | CVE-2025-30208 | https://github.com/bugdotexe/CVE-2025-30208 | POC详情 |
| 31 | CVE-2025-30208 | https://github.com/qodo-dev/CVE-2025-30208 | POC详情 |
| 32 | CVE-2025-30208 任意文件读取漏洞快速验证 | https://github.com/MiclelsonCN/CVE-2025-30208_POC | POC详情 |
| 33 | CVE-2025-30208 检测工具。python script && nuclei template | https://github.com/Lusensec/CVE-2025-30208 | POC详情 |
| 34 | CVE-2025-30208 | https://github.com/Ashwesker/Blackash-CVE-2025-30208 | POC详情 |
| 35 | This repository documents CVE-2025-30208, an Arbitrary File Read vulnerability affecting Vite development servers when misconfigured or exposed to untrusted networks. | https://github.com/layanOd/CVE-2025-30208-Arbitrary-File-Read-in-Vite-servers | POC详情 |
| 36 | This exploit is for educational and ethical security testing purposes only. The use of this exploit against targets without prior mutual consent is illegal, and the developer disclaims any liability for misuse or damage caused by this exploit. | https://github.com/On1onss/CVE-2025-30208 | POC详情 |
| 37 | CVE-2025-30208 | https://github.com/Ashwesker/Ashwesker-CVE-2025-30208 | POC详情 |
三、漏洞 CVE-2025-30208 的情报信息
标题: server.fs.deny bypassed when using `?raw??` · Advisory · vitejs/vite · GitHub -- 🔗来源链接
标签:x_refsource_CONFIRM
标题: fix: fs raw query with query separators (#19702) · vitejs/vite@92ca12d · GitHub -- 🔗来源链接
标签:x_refsource_MISC
标题: fix: backport #19702, fs raw query with query separators (#19704) · vitejs/vite@315695e · GitHub -- 🔗来源链接
标签:x_refsource_MISC
标题: fix: fs raw query with query separators (#19702) · vitejs/vite@f234b57 · GitHub -- 🔗来源链接
标签:x_refsource_MISC
标题: fix: fs raw query with query separators (#19702) · vitejs/vite@80381c3 · GitHub -- 🔗来源链接
标签:x_refsource_MISC
标题: fix: backport #19702, fs raw query with query separators (#19703) · vitejs/vite@807d7f0 · GitHub -- 🔗来源链接
标签:x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2025-30208
四、漏洞 CVE-2025-30208 的评论
暂无评论