Skip to content

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

High
patak-dev published GHSA-353f-5xf4-qw67 Jun 1, 2023

Package

npm vite (npm)

Affected versions

2.9.15
>=3.0.2 <=3.2.6
>=4.0.0 <=4.0.4
>=4.1.0 <=4.1.4
>=4.2.0 <=4.2.2
>=4.3.0 <=4.3.8

Patched versions

>=2.9.16 <3.0.0
>=3.2.7 <4.0.0
>=4.0.5 <4.1.0
>=4.1.5 <4.2.0
>=4.2.3 <4.3.0
>=4.3.9

Description

Summary

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default fs.deny settings (['.env', '.env.*', '*.{crt,pem}'])

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the immediate Vite project root folder could be exposed.

Patches

Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5
And in the latest minors of the previous two majors: vite@3.2.7, vite@2.9.16

Details

Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.

PoC

  1. Create a new latest project of vite using any package manager. (here I'm using react and vue templates for tested and pnpm)
  2. Serve the application on dev mode using pnpm run dev.
  3. Directly access the file from url using double forward-slash (//) (e.g: //.env, //.env.local)
  4. Server Options fs.deny restrict successfully bypassed.

Proof Images:
proof-1
proof-2

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2023-34092

Weaknesses

Credits