Attempts to Exploit Exposed "Vite" Installs (CVE-2025-30208), (Thu, Apr 2nd)

From its GitHub repo: Vite (French word for quick , pronounced /vi?t/, like veet ) is a new breed of frontend build tooling that significantly improves the frontend development experience [ https://github.com/vitejs/vite ]. This environment introduces some neat and useful shortcuts to make developers' lives simpler. But as so often, if exposed, these features can be turned against you. Today, I noticed our honeypots collecting URLs like: /@fs/../../../../../etc/environment?raw?? /@fs/etc/environment?raw?? /@fs/home/app/.aws/credentials?raw?? and many more like it. The common denominator is the prefix /@fs/ and the ending '?raw??'. This pattern matches CVE-2025-30208, a vulnerability in Vite described by Offsec.com in July last year [ https://www.offsec.com/blog/cve-2025-30208/ ]. The '@fs' feature is a Vite prefix for retrieving files from the server. To protect the server's file system, Vite implements configuration directives to restrict access to specific directories. However, the '??raw?' suffix can be used to bypass the access list and download arbitrary files. Scanning activity on port 5173 is quite low, and the attacks we have seen use standard web server ports. Vite is typically listening on port 5173. It should be installed such that it is only reachable via localhost, but apparently, at least attackers believe that it is often exposed. The attacks we are seeing are attempting to retrieve various well-known configuration files, likely to extract secrets. -- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter | (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.