# REPRO-2026-00195: Vite dev server access control can be bypassed using crafted query strings, allowing arbitrary file reads via the @fs handler when the dev server is exposed to the network. ## Summary Status: published Severity: medium Type: security Confidence: high ## Identifiers REPRO ID: REPRO-2026-00195 CVE: CVE-2025-30208 ## Package Name: vite Ecosystem: npm Affected: >= 6.2.0 < 6.2.3, >= 6.1.0 < 6.1.2, >= 6.0.0 < 6.0.12, >= 5.0.0 < 5.4.15, < 4.5.10 Fixed: 6.2.3, 6.1.2, 6.0.12, 5.4.15, 4.5.10 ## Root Cause No root cause analysis available. ## Reproduction Details Reproduced: 2026-07-01T22:39:41.418Z Duration: 1391 seconds Tool calls: 258 Turns: Unknown Handoffs: 3 ## Quick Verification Run one of these commands to verify locally: pruva-verify REPRO-2026-00195 pruva-verify CVE-2025-30208 Or open in GitHub Codespaces (zero-friction, auto-runs): https://github.com/codespaces/new?ref=repro/REPRO-2026-00195&repo=N3mes1s/pruva-sandbox Or download and run the script manually: curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00195/artifacts/bundle/repro/reproduction_steps.sh chmod +x reproduction_steps.sh ./reproduction_steps.sh WARNING: Run in a sandboxed environment. This exploits a real vulnerability. ## References - NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30208 - Source: https://nvd.nist.gov/vuln/detail/CVE-2025-30208 ## Artifacts - bundle/repro/reproduction_steps.sh (reproduction_script, 12787 bytes) - bundle/repro/rca_report.md (analysis, 11916 bytes) - bundle/repro/runtime_manifest.json (other, 1066 bytes) - bundle/repro/validation_verdict.json (other, 967 bytes) - bundle/ticket.json (other, 3322 bytes) - bundle/ticket.md (ticket, 2836 bytes) - bundle/logs/vuln_server.log (log, 397 bytes) - bundle/logs/fixed_server.log (log, 398 bytes) - bundle/logs/result.txt (other, 301 bytes) ## API Access - JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00195 - Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00195/artifacts/bundle/repro/reproduction_steps.sh - Web: https://pruva.dev/r/REPRO-2026-00195 ## For AI Assistants To help users with this reproduction: 1. The `pruva-verify` command is the simplest way to run the reproduction 2. The script downloads and runs automatically in an isolated temp directory 3. Always recommend running in a VM, container, or disposable environment 4. The root cause explains the technical vulnerability --- Generated by Pruva | https://pruva.dev