ghsa-8jhw-289h-jh2g
Vulnerability from github
Summary
Vite dev server option server.fs.deny
did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*
.
Impact
Only apps setting a custom server.fs.deny
that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host
or server.host
config option) are affected.
Patches
Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18
Details
server.fs.deny
uses picomatch with the config of { matchBase: true }
. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true }
and that causes dotfiles not to be denied unless they are explicitly defined.
Reproduction
Set fs.deny to ['**/.git/**']
and then curl for /.git/config
.
- with
matchBase: true
, you can get any file under.git/
(config, HEAD, etc). - with
matchBase: false
, you cannot get any file under.git/
(config, HEAD, etc).
{ "affected": [ { "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.17" }, "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "events": [ { "introduced": "2.7.0" }, { "fixed": "2.9.18" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 3.2.8" }, "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "events": [ { "introduced": "3.0.0" }, { "fixed": "3.2.10" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 4.5.2" }, "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "events": [ { "introduced": "4.0.0" }, { "fixed": "4.5.3" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 5.0.12" }, "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "events": [ { "introduced": "5.0.0" }, { "fixed": "5.0.13" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 5.1.6" }, "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "events": [ { "introduced": "5.1.0" }, { "fixed": "5.1.7" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 5.2.5" }, "package": { "ecosystem": "npm", "name": "vite" }, "ranges": [ { "events": [ { "introduced": "5.2.0" }, { "fixed": "5.2.6" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2024-31207" ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-284" ], "github_reviewed": true, "github_reviewed_at": "2024-04-03T16:46:17Z", "nvd_published_at": "2024-04-04T16:15:09Z", "severity": "MODERATE" }, "details": "### Summary\n[Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/**/*`.\n\n### Impact\nOnly apps setting a custom `server.fs.deny` that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\n\n### Patches\nFixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18\n\n### Details\n`server.fs.deny` uses picomatch with the config of `{ matchBase: true }`. [matchBase](https://github.com/micromatch/picomatch/blob/master/README.md#options:~:text=Description-,basename,-boolean) only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set `{ dot: true }` and that causes [dotfiles not to be denied](https://github.com/micromatch/picomatch/blob/master/README.md#options:~:text=error%20is%20thrown.-,dot,-boolean) unless they are explicitly defined.\n\n**Reproduction**\n\nSet fs.deny to `[\u0027**/.git/**\u0027]` and then curl for `/.git/config`.\n\n* with `matchBase: true`, you can get any file under `.git/` (config, HEAD, etc).\n* with `matchBase: false`, you cannot get any file under `.git/` (config, HEAD, etc).\n", "id": "GHSA-8jhw-289h-jh2g", "modified": "2024-04-04T20:24:27Z", "published": "2024-04-03T16:46:17Z", "references": [ { "type": "WEB", "url": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31207" }, { "type": "WEB", "url": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0" }, { "type": "WEB", "url": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48" }, { "type": "WEB", "url": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67" }, { "type": "WEB", "url": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9" }, { "type": "WEB", "url": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258" }, { "type": "WEB", "url": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649" }, { "type": "PACKAGE", "url": "https://github.com/vitejs/vite" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Vite\u0027s `server.fs.deny` did not deny requests for patterns with directories." }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.