CVE-2025-30208 is a CVSS 7.5 arbitrary file read vulnerability in the Vite JavaScript build tool’s @fs path traversal handler, enabling unauthenticated access to any file on the host including credentials, .env files, and SSH keys from a misconfigured or internet-exposed dev server; EPSS places this in the 99.5th percentile for exploitation probability with active exploitation attempts reported. Vite dev servers are not designed for internet-facing deployment; immediately audit all cloud, CI/CD, and staging environments for Vite instances bound to 0.0.0.0, block port 5173 at the perimeter, upgrade to the patched version, and rotate any credentials on previously exposed hosts.