Homepage
About Snyk

Improper Access Control Affecting vite package, versions >=2.7.0 <2.9.18 >=3.0.0 <3.2.10 >=4.0.0 <4.5.3 >=5.0.0 <5.0.13 >=5.1.0 <5.1.7 >=5.2.0 <5.2.6

0.0
medium

Snyk CVSS

    Attack Complexity High
    Confidentiality High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.04% (10th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-VITE-6531286
  • published 4 Apr 2024
  • disclosed 3 Apr 2024
  • credit jtmcdole
Report a new vulnerability Found a mistake?

Introduced: 3 Apr 2024

CVE-2024-31207 Open this link in a new tab
CWE-200 Open this link in a new tab
CWE-284 Open this link in a new tab

How to fix?

Upgrade vite to version 2.9.18, 3.2.10, 4.5.3, 5.0.13, 5.1.7, 5.2.6 or higher.

Overview

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Improper Access Control due to improper request handling through server.fs.deny configuration, which fails to deny requests for patterns with directories. This misconfiguration allows an attacker to bypass intended access restrictions and retrieve sensitive files from the server by crafting specific requests.

Note:

Only apps setting a custom server.fs.deny that includes a pattern with directories and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

PoC

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

with matchBase: true, you can get any file under .git/ (config, HEAD, etc).