CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
10.3%
A flaw was found in the Node.js Vite package. When configuring the “server.fs.deny” server option to deny requests that include a pattern with directories such as /foo/**/*, the requests were still being allowed. This can potentially expose files or directories containing sensitive information. Only apps setting a custom “server.fs.deny” that includes a pattern with directories, and explicitly exposing the Vite dev server to the network using --host or server.host config option are affected.
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.