VYPR
← All advisories
High severityNVD Advisory· Published Jun 1, 2023· Updated Jan 8, 2025

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

CVE-2023-34092

Description

Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default fs.deny settings (['.env', '.env.*', '*.{crt,pem}']). Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5, vite@3.2.7, and vite@2.9.16.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
vitenpm
< 2.9.162.9.16
vitenpm
>= 3.0.2, < 3.2.73.2.7
vitenpm
>= 4.0.0, < 4.0.54.0.5
vitenpm
>= 4.1.0, < 4.1.54.1.5
vitenpm
>= 4.2.0, < 4.2.34.2.3
vitenpm
>= 4.3.0, < 4.3.94.3.9

Affected products

1

Patches

1
813ddd6155c3

fix: fs.deny with leading double slash (#13348)

https://github.com/vitejs/vitepatakMay 26, 2023via ghsa
commit
4 files changed · +38 3
  • packages/vite/src/node/server/middlewares/static.ts+2 2 modified
    @@ -100,7 +100,7 @@ export function serveStaticMiddleware(
       return next()
     }
 
-    const url = new URL(req.url!, 'http://example.com')
+    const url = new URL(req.url!.replace(/^\/+/, '/'), 'http://example.com')
     const pathname = decodeURIComponent(url.pathname)
 
     // apply aliases to static requests as well
@@ -153,7 +153,7 @@ export function serveRawFsMiddleware(
 
   // Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
   return function viteServeRawFsMiddleware(req, res, next) {
-    const url = new URL(req.url!, 'http://example.com')
+    const url = new URL(req.url!.replace(/^\/+/, '/'), 'http://example.com')
     // In some cases (e.g. linked monorepos) files outside of root will
     // reference assets that are also out of served root. In such cases
     // the paths are rewritten to `/@fs/` prefixed paths and must be served by
  • playground/assets-sanitize/.env+1 0 added
    @@ -0,0 +1 @@
+KEY=unsafe
  • playground/assets-sanitize/index.html+30 1 modified
    @@ -6,6 +6,35 @@
     margin-bottom: 1rem;
   }
 </style>
-<h1>test elements below should show circles and their url</h1>
+<h3>test elements below should show circles and their url</h3>
 <div class="test-el plus-circle"></div>
 <div class="test-el underscore-circle"></div>
+
+<h3>Denied .env</h3>
+<div class="unsafe-dotenv"></div>
+<div class="unsafe-dotenv-double-slash"></div>
+
+<script type="module">
+  // .env, denied by default. See fs-serve playground for other fs tests
+  // these checks ensure that a project without a custom root respects fs.deny
+
+  fetch('/.env')
+    .then((r) => {
+      text('.unsafe-dotenv', r.status)
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
+  fetch(window.location + '/.env')
+    .then((r) => {
+      text('.unsafe-dotenv-double-slash', r.status)
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
+  function text(el, text) {
+    document.querySelector(el).textContent = text
+  }
+</script>
  • playground/assets-sanitize/__tests__/assets-sanitize.spec.ts+5 0 modified
    @@ -25,3 +25,8 @@ if (!isBuild) {
     expect(Object.keys(manifest).length).toBe(3) // 2 svg, 1 index.js
   })
 }
+
+test.runIf(!isBuild)('denied .env', async () => {
+  expect(await page.textContent('.unsafe-dotenv')).toBe('403')
+  expect(await page.textContent('.unsafe-dotenv-double-slash')).toBe('403')
+})

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.