HOMEVULNERABILITIESCVE-2025-30208
UNKNOWNCISA KEVIN THE WILD

CVE-2025-30208

Published: April 11, 2026

Official Description

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.

NVD Source

Technical Analysis

CVE-2025-30208 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

CISA has added CVE-2025-30208 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2025-30208

Attempts to Exploit Exposed "Vite" Installs (CVE-2025-30208), (Thu, Apr 2nd)
SANS ISC· Apr 2, 2026

From its GitHub repo: "Vite (French word for "quick", pronounced /vi?t/, like "veet") is a new breed of frontend build tooling that significantly improves the frontend development experience" [https://github.com/vitejs/vite]. [xlite_meta score:57 src:SANS ISC xlite_fp:cbd07cef977fa26eb2d32aedaee95c52cad672a15f145839a0674957a5157ea9]

Quick Facts

CVE IDCVE-2025-30208
Severity
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
PublishedApr 11, 2026

Known Threat Actors

core
financial
J
financial

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2025-30208 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.