VYPR
High severityNVD Advisory· Published Jun 1, 2023· Updated Jan 8, 2025

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

CVE-2023-34092

Description

Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default fs.deny settings (['.env', '.env.*', '*.{crt,pem}']). Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5, vite@3.2.7, and vite@2.9.16.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
vitenpm
< 2.9.162.9.16
vitenpm
>= 3.0.2, < 3.2.73.2.7
vitenpm
>= 4.0.0, < 4.0.54.0.5
vitenpm
>= 4.1.0, < 4.1.54.1.5
vitenpm
>= 4.2.0, < 4.2.34.2.3
vitenpm
>= 4.3.0, < 4.3.94.3.9

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.