Summary
| Vulnerability Name | Vite Access Control Bypass (CVE-2025-30208) |
|---|---|
| Released on | March 27, 2025 |
| Affected Component | Vite |
| Affected Versions | 6.2.0 ≤ Vite ≤ 6.2.2 6.1.0 ≤ Vite ≤ 6.1.1 6.0.0 ≤ Vite ≤ 6.0.11 5.0.0 ≤ Vite ≤ 5.4.14 Vite ≤ 4.5.9 |
| Vulnerability Type | Access control bypass |
| Exploitation Condition |
|
| Impact | Exploitation difficulty: easy. This vulnerability enables attackers to access resources without authorization. Severity: medium. This vulnerability may result in sensitive information leakage and unauthorized access. |
| Official Solution | Available |
About the Vulnerability
Component Introduction
Vite is a modern frontend development tool that leverages the import capabilities of the ES module in a browser to provide quick server development and construction performance. Vite aims to optimize the development experience and enhance the development efficiency through technologies such as instant module replacement (HMR).
Vulnerability Description
On March 27, 2025, Sangfor FarSight Labs received notification of the access control bypass vulnerability in Vite (CVE-2025-30208), classified as medium in threat level.
This vulnerability in Vite indicates an access control error. Specifically, Vite does not conduct security checks and restrictions on specific URLs. Unauthorized attacks can exploit this vulnerability to access sensitive files, resulting in information leakage.
Affected Versions
The following Vite versions are affected:
6.2.0 ≤ Vite ≤ 6.2.2
6.1.0 ≤ Vite ≤ 6.1.1
6.0.0 ≤ Vite ≤ 6.0.11
5.0.0 ≤ Vite ≤ 5.4.14
Vite ≤ 4.5.9
Vulnerability Reproduction
Sangfor FarSight Labs has reproduced the vulnerability.
Solutions
Remediation Solutions
Official Solution
The latest version has been officially released to fix the vulnerability. Affected users are advised to update the Vite component to the following versions:
Vite 6.2.3
Vite 6.1.2
Vite 6.0.12
Vite 5.4.15
Vite 4.5.10
Download link: https://github.com/vitejs/vite/releases
Sangfor Solutions
Risky Asset Discovery
The following Sangfor services can conduct proactive detection on Vite to discover affected assets in batches in business scenarios:
Sangfor Host Security: The corresponding asset discovery solution will be released on March 30, 2025. The fingerprint ID is 0032127.
Sangfor TSS: The corresponding asset discovery solution will be released on March 30, 2025. The fingerprint ID is 0032127.
Vulnerability Detection
The following Sangfor services can proactively detect CVE-2025-30208 vulnerabilities and quickly identify vulnerability risks in batches in business scenarios:
Sangfor Host Security: The corresponding detection solution will be released on March 30, 2025. The rule ID is SF-2025-00363.
Sangfor TSS: The corresponding detection solution will be released on March 31, 2025. The rule ID is SF-2025-00998.
Sangfor Cyber Guardian Platform: The corresponding detection solution will be released on March 31, 2025. The rule ID is SF-2025-00998. In this case, make sure that Sangfor Cyber Guardian Platform is integrated with Sangfor TSS.
Sangfor XDR: The corresponding detection solution will be released on March 30, 2025. The rule ID is SF-2025-00363. In this case, make sure that Sangfor XDR is integrated with Sangfor Host Security.
Vulnerability Monitoring
The following Sangfor services support CVE-2025-30208 vulnerability monitoring, and can quickly identify affected assets and the impact scope in business scenarios in real time through traffic collection:
Cyber Command: The corresponding monitoring solution will be released on April 03, 2025. The rule ID is 11027470.
Sangfor Cyber Guardian Platform: The corresponding monitoring solution will be released on April 03, 2025. The rule ID is 11027470. In this case, make sure that Sangfor Cyber Guardian Platform is integrated with Cyber Command.
Sangfor XDR: The corresponding monitoring solution will be released on April 03, 2025. The rule ID is 11027470.
Vulnerability Prevention
The following Sangfor services can effectively block CVE-2025-30208 exploits:
Network Secure: The corresponding prevention solution will be released on April 03, 2025. The rule ID is 11027470.
Sangfor Web Application Firewall: The corresponding prevention solution will be released on April 03, 2025. The rule ID is 11027470.
Sangfor Cyber Guardian Platform: The corresponding prevention solution will be released on April 03, 2025. The rule ID is 11027470. In this case, make sure that Sangfor Cyber Guardian Platform is integrated with Network Secure.
Sangfor XDR: The corresponding prevention solution will be released on April 03, 2025. The rule ID is 11027470. In this case, make sure that Sangfor XDR is integrated with Network Secure.
Timeline
On March 27, 2025, Sangfor FarSight Labs received notification of the access control bypass vulnerability in Vite (CVE-2025-30208).
On March 27, 2025, Sangfor FarSight Labs released a vulnerability alert.
References
https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w
Learn More
Sangfor FarSight Labs researches the latest cyber threats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyber threats, providing fast and easy protection for customers.
