ghsa-353f-5xf4-qw67
Vulnerability from github
The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (//
). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.
Steps to Fix. Update Vite: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. Secure the server configuration: In your vite.config.js
file, review and update the server configuration options to restrict access to unauthorized requests or directories.
Impact
Only users explicitly exposing the Vite dev server to the network (using --host
or the server.host
config option) are affected and only files in the immediate Vite project root folder could be exposed.\n\n### Patches\nFixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5 and in the latest minors of the previous two majors, vite@3.2.7 and vite@2.9.16.
### Details
Vite serves the application with under the root-path of the project while running on the dev mode. By default, Vite uses the server option fs.deny to protect sensitive files. But using a simple double forward-slash, we can bypass this restriction. \n\n### PoC\n1. Create a new latest project of Vite using any package manager. (here I'm using react and vue templates and pnpm for testing)\n2. Serve the application on dev mode using pnpm run dev
.\n3. Directly access the file via url using double forward-slash (//
) (e.g: //.env
, //.env.local
)\n4. The server option fs.deny
was successfully bypassed.
Proof Images: \n
{ "affected": [ { "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.9.16" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "events": [ { "introduced": "3.0.2" }, { "fixed": "3.2.7" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "events": [ { "introduced": "4.0.0" }, { "fixed": "4.0.5" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "events": [ { "introduced": "4.1.0" }, { "fixed": "4.1.5" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "events": [ { "introduced": "4.2.0" }, { "fixed": "4.2.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "events": [ { "introduced": "4.3.0" }, { "fixed": "4.3.9" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2023-34092" ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-50", "CWE-706" ], "github_reviewed": true, "github_reviewed_at": "2023-06-06T02:01:39Z", "nvd_published_at": "2023-06-01T17:15:10Z", "severity": "HIGH" }, "details": "The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (`//`). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.\n\n### Steps to Fix. **Update Vite**: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\\n2. **Secure the server configuration**: In your `vite.config.js` file, review and update the server configuration options to restrict access to unauthorized requests or directories.\n\n### Impact\nOnly users explicitly exposing the Vite dev server to the network (using `--host` or the [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected and only files in the immediate Vite project root folder could be exposed.\\n\\n### Patches\\nFixed in vite@**4.3.9**, vite@**4.2.3**, vite@**4.1.5**, vite@**4.0.5** and in the latest minors of the previous two majors, vite@**3.2.7** and vite@**2.9.16**.\n\n ### Details \nVite serves the application with under the root-path of the project while running on the dev mode. By default, Vite uses the server option fs.deny to protect sensitive files. But using a simple double forward-slash, we can bypass this restriction. \\n\\n### PoC\\n1. Create a new latest project of Vite using any package manager. (here I\u0027m using react and vue templates and pnpm for testing)\\n2. Serve the application on dev mode using `pnpm run dev`.\\n3. Directly access the file via url using double forward-slash (`//`) (e.g: `//.env`, `//.env.local`)\\n4. The server option `fs.deny` was successfully bypassed.\n\nProof Images: ![proof-1](https://user-images.githubusercontent.com/30733517/241105344-6ecbc7f6-57b7-45c7-856a-6421a577dda1.png)\\n![proof-2](https://user-images.githubusercontent.com/30733517/241105349-ab9561e7-8aff-4f29-97f9-b784e673c122.png)", "id": "GHSA-353f-5xf4-qw67", "modified": "2024-08-09T19:14:57Z", "published": "2023-06-06T02:01:39Z", "references": [ { "type": "WEB", "url": "https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34092" }, { "type": "WEB", "url": "https://github.com/vitejs/vite/pull/13348" }, { "type": "WEB", "url": "https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32" }, { "type": "PACKAGE", "url": "https://github.com/vitejs/vite" }, { "type": "WEB", "url": "https://security.snyk.io/package/npm/vite/3.2.0-beta.4" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.