Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
CVE-2024-23331

7.5HIGH

Key Information:

Vendor
vitejs
Status
vite
Vendor
CVE Published:
19 January 2024

Summary

The Vite framework experiences a vulnerability related to its server.fs.deny configuration, particularly on case-insensitive file systems like those found in Windows environments. This flaw allows for a bypass of the intended security measures by utilizing case-augmented filenames. Although the implementation in picomatch is case-sensitive, the file server does not enforce this sensitivity, resulting in a security gap. As a consequence, sensitive files may become accessible despite being protected by the blacklist. To remediate this issue, users are encouraged to upgrade to the provided secure versions of Vite or to restrict access to the development servers as an interim measure.

Affected Version(s)

vite >=2.7.0, < 2.9.17 < 2.7.0, 2.9.17

vite >=3.0.0, <3.2.8 < 3.0.0, 3.2.8

vite >=4.0.0, < 4.5.2 < 4.0.0, 4.5.2

References

https://github.com/vitejs/vite/security/advisories/GHSA-c...
x_refsource_CONFIRM
https://github.com/vitejs/vite/commit/91641c4da0a011d4c53...
x_refsource_MISC
https://vitejs.dev/config/server-options.html#server-fs-deny
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.