CVE-2025-30208 (CVSS 7.5) is an arbitrary file read vulnerability in the Vite JavaScript build tool’s development server @fs path handling, with an EPSS score at the 99.5th percentile and active exploitation attempts confirmed in the wild. The attack surface is limited to Vite dev server instances exposed to public networks — a misconfiguration that occurs in cloud development environments, CI/CD runners, and developer workstations with public tunnels. Organizations should immediately identify and isolate internet-facing Vite dev server instances, patch to the latest Vite release, and rotate any credentials accessible via the host filesystem during the exposure window.