Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
CVE-2023-34092

7.5HIGH

Key Information:

Vendor
vitejs
Status
vite
Vendor
CVE Published:
1 June 2023

Summary

The Vite frontend tooling framework contains a vulnerability that allows unauthenticated users to bypass server file restrictions using a double forward-slash (//). This weakness enables access to sensitive files from the Vite project’s root directory, potentially exposing default configurations that should remain protected, such as '.env' files and SSL certificates. The issue primarily affects users who have explicitly configured the Vite development server to be accessible over a network. It is essential for developers using affected versions to upgrade to the patched versions to secure their configurations from improper exposure.

Affected Version(s)

vite < 2.9.16 < 2.9.16

vite >= 3.0.2, < 3.2.7 < 3.0.2, 3.2.7

vite >= 4.0.0, < 4.0.5 < 4.0.0, 4.0.5

References

https://github.com/vitejs/vite/security/advisories/GHSA-3...
x_refsource_CONFIRM
https://github.com/vitejs/vite/pull/13348
x_refsource_MISC
https://github.com/vitejs/vite/commit/813ddd6155c3d54801e...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.