Skip to content

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

High severity GitHub Reviewed Published Jun 1, 2023 in vitejs/vite • Updated Aug 9, 2024

Package

npm vite (npm)

Affected versions

< 2.9.16
>= 3.0.2, < 3.2.7
>= 4.0.0, < 4.0.5
>= 4.1.0, < 4.1.5
>= 4.2.0, < 4.2.3
>= 4.3.0, < 4.3.9

Patched versions

2.9.16
3.2.7
4.0.5
4.1.5
4.2.3
4.3.9

Description

The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.

Steps to Fix. Update Vite: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. Secure the server configuration: In your vite.config.js file, review and update the server configuration options to restrict access to unauthorized requests or directories.

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or the server.host config option) are affected and only files in the immediate Vite project root folder could be exposed.\n\n### Patches\nFixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5 and in the latest minors of the previous two majors, vite@3.2.7 and vite@2.9.16.

Details

Vite serves the application with under the root-path of the project while running on the dev mode. By default, Vite uses the server option fs.deny to protect sensitive files. But using a simple double forward-slash, we can bypass this restriction. \n\n### PoC\n1. Create a new latest project of Vite using any package manager. (here I'm using react and vue templates and pnpm for testing)\n2. Serve the application on dev mode using pnpm run dev.\n3. Directly access the file via url using double forward-slash (//) (e.g: //.env, //.env.local)\n4. The server option fs.deny was successfully bypassed.

Proof Images: proof-1\nproof-2

References

@patak-dev patak-dev published to vitejs/vite Jun 1, 2023
Published by the National Vulnerability Database Jun 1, 2023
Published to the GitHub Advisory Database Jun 6, 2023
Reviewed Jun 6, 2023
Last updated Aug 9, 2024

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS score

0.180%
(55th percentile)

CVE ID

CVE-2023-34092

GHSA ID

GHSA-353f-5xf4-qw67

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.