嗯,用户让我总结一下这篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”这样的开头。首先,我得仔细阅读文章,抓住主要信息。 文章讲的是Vite这个前端构建工具的一个漏洞。Vite有一个@fs的特性,允许从服务器获取文件。但有个问题,攻击者可以用'??raw?'这个后缀绕过访问限制,下载任意文件。攻击者利用这个漏洞去获取配置文件,比如环境变量、AWS凭证之类的,目的是窃取敏感信息。 接下来,我需要把这些要点浓缩成一句话。要提到Vite、@fs特性、漏洞、攻击者如何利用以及目的。同时确保不超过100字。 可能的结构是:Vite的@fs特性被攻击者利用,通过特定后缀绕过限制,窃取敏感配置文件。这样既简洁又涵盖了关键点。 最后检查一下字数和是否符合用户的要求。 </think> Vite 的 `@fs` 特性被攻击者利用 `??raw?` 后缀绕过访问限制,窃取服务器敏感配置文件。 2026-4-2 14:49:0 Author: isc.sans.edu(查看原文) 阅读量:2 收藏
From its GitHub repo: "Vite (French word for "quick", pronounced /vi?t/, like "veet") is a new breed of frontend build tooling that significantly improves the frontend development experience" [https://github.com/vitejs/vite].
This environment introduces some neat and useful shortcuts to make developers' lives simpler. But as so often, if exposed, these features can be turned against you.
Today, I noticed our honeypots collecting URLs like:
/@fs/../../../../../etc/environment?raw??
/@fs/etc/environment?raw??
/@fs/home/app/.aws/credentials?raw??
and many more like it. The common denominator is the prefix "/@fs/" and the ending '?raw??'. This pattern matches CVE-2025-30208, a vulnerability in Vite described by Offsec.com in July last year [https://www.offsec.com/blog/cve-2025-30208/].
The '@fs' feature is a Vite prefix for retrieving files from the server. To protect the server's file system, Vite implements configuration directives to restrict access to specific directories. However, the '??raw?' suffix can be used to bypass the access list and download arbitrary files. Scanning activity on port 5173 is quite low, and the attacks we have seen use standard web server ports.
Vite is typically listening on port 5173. It should be installed such that it is only reachable via localhost, but apparently, at least attackers believe that it is often exposed. The attacks we are seeing are attempting to retrieve various well-known configuration files, likely to extract secrets.
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
如有侵权请联系:admin#unsafe.sh