Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-30208

Опубликовано: 24 мар. 2025
Источник: redhat
CVSS3: 5.3
EPSS Высокий

Описание

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Automation Platform 2automation-controllerFix deferred
Red Hat Ansible Automation Platform 2automation-eda-controllerFix deferred
Red Hat Ansible Automation Platform 2automation-gatewayFix deferred
Red Hat JBoss Enterprise Application Platform 8org.keycloak-keycloak-parentFix deferred
Red Hat JBoss Enterprise Application Platform Expansion Packorg.keycloak-keycloak-parentFix deferred
Red Hat OpenShift distributed tracing 3rhosdt/tempo-gateway-opa-rhel8Fix deferred
Red Hat OpenShift distributed tracing 3rhosdt/tempo-gateway-rhel8Fix deferred
Red Hat OpenShift distributed tracing 3rhosdt/tempo-jaeger-query-rhel8Fix deferred
Red Hat OpenShift distributed tracing 3rhosdt/tempo-query-rhel8Fix deferred
Red Hat OpenShift distributed tracing 3rhosdt/tempo-rhel8Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-200
Дефект:
CWE-284
https://bugzilla.redhat.com/show_bug.cgi?id=2354598vite: Vite bypasses server.fs.deny when using `?raw??`

EPSS

Процентиль: 99%
0.76919
Высокий

5.3 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-30208

CVSS3: 5.3
nvd
6 месяцев назад

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.

debian логотип

CVE-2025-30208

CVSS3: 5.3
debian
6 месяцев назад

Vite, a provider of frontend development tooling, has a vulnerability ...

github логотип

GHSA-x574-m823-4x7w

CVSS3: 5.3
github
6 месяцев назад

Vite bypasses server.fs.deny when using ?raw??

fstec логотип

BDU:2025-03698

CVSS3: 6.5
fstec
6 месяцев назад

Уязвимость функции transformMiddleware механизма @fs локального сервера разработки приложений Vite, позволяющая нарушителю читать произвольные файлы

EPSS

Процентиль: 99%
0.76919
Высокий

5.3 Medium

CVSS3