Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
CVE-2023-34092

7.5HIGH

Key Information:

Vendor

vitejs

Status
vite
Vendor
CVE Published:
1 June 2023

What is CVE-2023-34092?

The Vite frontend tooling framework contains a vulnerability that allows unauthenticated users to bypass server file restrictions using a double forward-slash (//). This weakness enables access to sensitive files from the Vite project’s root directory, potentially exposing default configurations that should remain protected, such as '.env' files and SSL certificates. The issue primarily affects users who have explicitly configured the Vite development server to be accessible over a network. It is essential for developers using affected versions to upgrade to the patched versions to secure their configurations from improper exposure.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

vite < 2.9.16 < 2.9.16

vite >= 3.0.2, < 3.2.7 < 3.0.2, 3.2.7

vite >= 4.0.0, < 4.0.5 < 4.0.0, 4.0.5

References

https://github.com/vitejs/vite/security/advisories/GHSA-3...
x_refsource_CONFIRM
https://github.com/vitejs/vite/pull/13348
x_refsource_MISC
https://github.com/vitejs/vite/commit/813ddd6155c3d54801e...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.