Skip to content

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

High
patak-dev published GHSA-353f-5xf4-qw67 Jun 1, 2023

Package

npm vite (npm)

Affected versions

2.9.15
>=3.0.2 <=3.2.6
>=4.0.0 <=4.0.4
>=4.1.0 <=4.1.4
>=4.2.0 <=4.2.2
>=4.3.0 <=4.3.8

Patched versions

>=2.9.16 <3.0.0
>=3.2.7 <4.0.0
>=4.0.5 <4.1.0
>=4.1.5 <4.2.0
>=4.2.3 <4.3.0
>=4.3.9

Description

Summary

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default fs.deny settings (['.env', '.env.*', '*.{crt,pem}'])

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the immediate Vite project root folder could be exposed.

Patches

Fixed in [email protected], [email protected], [email protected], [email protected]
And in the latest minors of the previous two majors: [email protected], [email protected]

Details

Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.

PoC

  1. Create a new latest project of vite using any package manager. (here I'm using react and vue templates for tested and pnpm)
  2. Serve the application on dev mode using pnpm run dev.
  3. Directly access the file from url using double forward-slash (//) (e.g: //.env, //.env.local)
  4. Server Options fs.deny restrict successfully bypassed.

Proof Images:
proof-1
proof-2

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2023-34092

Weaknesses

Path Equivalence: '//multiple/leading/slash'

The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Learn more on MITRE.

Credits