CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
10.3%
Vite dev server option server.fs.deny
did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*
.
Only apps setting a custom server.fs.deny
that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host
or server.host
config option) are affected.
Fixed in [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
server.fs.deny
uses picomatch with the config of { matchBase: true }
. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true }
and that causes dotfiles not to be denied unless they are explicitly defined.
Reproduction
Set fs.deny to ['**/.git/**']
and then curl for /.git/config
.
matchBase: true
, you can get any file under .git/
(config, HEAD, etc).matchBase: false
, you cannot get any file under .git/
(config, HEAD, etc).github.com/vitejs/vite
github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0
github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48
github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67
github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9
github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258
github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649
github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g
nvd.nist.gov/vuln/detail/CVE-2024-31207
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
10.3%