High severityNVD Advisory· Published Jan 19, 2024· Updated Jun 17, 2025
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
CVE-2024-23331
Description
Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vitenpm | >= 2.7.0, < 2.9.17 | 2.9.17 |
vitenpm | >= 3.0.0, < 3.2.8 | 3.2.8 |
vitenpm | >= 4.0.0, < 4.5.2 | 4.5.2 |
vitenpm | >= 5.0.0, < 5.0.12 | 5.0.12 |
Affected products
1Patches
43 files changed · +19 −3
packages/playground/fs-serve/root/src/index.html+11 −1 modified@@ -45,6 +45,7 @@ <h2>Nested Entry</h2> <h2>Denied</h2> <pre class="unsafe-dotenv"></pre> +<pre class="unsafe-dotEnV-casing"></pre> <script type="module"> import '../../entry' @@ -202,14 +203,23 @@ <h2>Denied</h2> }) // .env, denied by default - fetch('/@fs/' + ROOT + '/root/.env') + fetch('/@fs/' + ROOT + '/root/src/.env') .then((r) => { text('.unsafe-dotenv', r.status) }) .catch((e) => { console.error(e) }) + // .env, for case insensitive file systems + fetch('/@fs/' + ROOT + '/root/src/.EnV') + .then((r) => { + text('.unsafe-dotEnV-casing', r.status) + }) + .catch((e) => { + console.error(e) + }) + function text(sel, text) { document.querySelector(sel).textContent = text }
packages/playground/fs-serve/__tests__/fs-serve.spec.ts+7 −1 modified@@ -97,7 +97,13 @@ describe('main', () => { }) test('denied', async () => { - expect(await page.textContent('.unsafe-dotenv')).toBe('404') + expect(await page.textContent('.unsafe-dotenv')).toBe('403') + }) + + test('denied EnV casing', async () => { + // It is 403 in case insensitive system, 404 in others + const code = await page.textContent('.unsafe-dotEnV-casing') + expect(code === '403' || code === '404').toBeTruthy() }) } else { test('dummy test to make jest happy', async () => {
packages/vite/src/node/server/middlewares/static.ts+1 −1 modified@@ -156,7 +156,7 @@ export function serveRawFsMiddleware( } } -const _matchOptions = { matchBase: true } +const _matchOptions = { matchBase: true, nocase: true } export function isFileServingAllowed( url: string,
a26c87d20f9afix: fs deny for case insensitive
3 files changed · +22 −3
packages/vite/src/node/server/index.ts+4 −1 modified@@ -452,7 +452,10 @@ export async function createServer( _importGlobMap: new Map(), _forceOptimizeOnRestart: false, _pendingRequests: new Map(), - _fsDenyGlob: picomatch(config.server.fs.deny, { matchBase: true }) + _fsDenyGlob: picomatch(config.server.fs.deny, { + matchBase: true, + nocase: true + }) } server.transformIndexHtml = createDevHtmlTransformFn(server)
playground/fs-serve/root/src/index.html+11 −1 modified@@ -45,6 +45,7 @@ <h2>Nested Entry</h2> <h2>Denied</h2> <pre class="unsafe-dotenv"></pre> +<pre class="unsafe-dotEnV-casing"></pre> <script type="module"> import '../../entry' @@ -202,14 +203,23 @@ <h2>Denied</h2> }) // .env, denied by default - fetch('/@fs/' + ROOT + '/root/.env') + fetch('/@fs/' + ROOT + '/root/src/.env') .then((r) => { text('.unsafe-dotenv', r.status) }) .catch((e) => { console.error(e) }) + // .env, for case insensitive file systems + fetch('/@fs/' + ROOT + '/root/src/.EnV') + .then((r) => { + text('.unsafe-dotEnV-casing', r.status) + }) + .catch((e) => { + console.error(e) + }) + function text(sel, text) { document.querySelector(sel).textContent = text }
playground/fs-serve/__tests__/fs-serve.spec.ts+7 −1 modified@@ -95,7 +95,13 @@ describe.runIf(isServe)('main', () => { }) test('denied', async () => { - expect(await page.textContent('.unsafe-dotenv')).toBe('404') + expect(await page.textContent('.unsafe-dotenv')).toBe('403') + }) + + test('denied EnV casing', async () => { + // It is 403 in case insensitive system, 404 in others + const code = await page.textContent('.unsafe-dotEnV-casing') + expect(code === '403' || code === '404').toBeTruthy() }) })
eeec23bbc9d4fix: fs deny for case insensitive systems (#15653)
4 files changed · +33 −4
packages/vite/src/node/server/index.ts+4 −1 modified@@ -509,7 +509,10 @@ export async function _createServer( _importGlobMap: new Map(), _forceOptimizeOnRestart: false, _pendingRequests: new Map(), - _fsDenyGlob: picomatch(config.server.fs.deny, { matchBase: true }), + _fsDenyGlob: picomatch(config.server.fs.deny, { + matchBase: true, + nocase: true, + }), _shortcutsOptions: undefined, }
playground/fs-serve/root/src/index.html+15 −1 modified@@ -45,6 +45,7 @@ <h2>Nested Entry</h2> <h2>Denied</h2> <pre class="unsafe-dotenv"></pre> +<pre class="unsafe-dotEnV-casing"></pre> <script type="module"> import '../../entry' @@ -236,14 +237,27 @@ <h2>Denied</h2> }) // .env, denied by default - fetch(joinUrlSegments(base, joinUrlSegments('/@fs/', ROOT) + '/root/.env')) + fetch( + joinUrlSegments(base, joinUrlSegments('/@fs/', ROOT) + '/root/src/.env'), + ) .then((r) => { text('.unsafe-dotenv', r.status) }) .catch((e) => { console.error(e) }) + // .env, for case insensitive file systems + fetch( + joinUrlSegments(base, joinUrlSegments('/@fs/', ROOT) + '/root/src/.EnV'), + ) + .then((r) => { + text('.unsafe-dotEnV-casing', r.status) + }) + .catch((e) => { + console.error(e) + }) + function text(sel, text) { document.querySelector(sel).textContent = text }
playground/fs-serve/__tests__/base/fs-serve-base.spec.ts+7 −1 modified@@ -92,7 +92,13 @@ describe.runIf(isServe)('main', () => { }) test('denied', async () => { - expect(await page.textContent('.unsafe-dotenv')).toBe('404') + expect(await page.textContent('.unsafe-dotenv')).toBe('403') + }) + + test('denied EnV casing', async () => { + // It is 403 in case insensitive system, 404 in others + const code = await page.textContent('.unsafe-dotEnV-casing') + expect(code === '403' || code === '404').toBeTruthy() }) })
playground/fs-serve/__tests__/fs-serve.spec.ts+7 −1 modified@@ -92,7 +92,13 @@ describe.runIf(isServe)('main', () => { }) test('denied', async () => { - expect(await page.textContent('.unsafe-dotenv')).toBe('404') + expect(await page.textContent('.unsafe-dotenv')).toBe('403') + }) + + test('denied EnV casing', async () => { + // It is 403 in case insensitive system, 404 in others + const code = await page.textContent('.unsafe-dotEnV-casing') + expect(code === '403' || code === '404').toBeTruthy() }) })
91641c4da0a0fix: fs deny for case insensitive systems (#15653)
4 files changed · +33 −4
packages/vite/src/node/server/index.ts+4 −1 modified@@ -617,7 +617,10 @@ export async function _createServer( _importGlobMap: new Map(), _forceOptimizeOnRestart: false, _pendingRequests: new Map(), - _fsDenyGlob: picomatch(config.server.fs.deny, { matchBase: true }), + _fsDenyGlob: picomatch(config.server.fs.deny, { + matchBase: true, + nocase: true, + }), _shortcutsOptions: undefined, }
playground/fs-serve/root/src/index.html+15 −1 modified@@ -45,6 +45,7 @@ <h2>Nested Entry</h2> <h2>Denied</h2> <pre class="unsafe-dotenv"></pre> +<pre class="unsafe-dotEnV-casing"></pre> <script type="module"> import '../../entry' @@ -236,14 +237,27 @@ <h2>Denied</h2> }) // .env, denied by default - fetch(joinUrlSegments(base, joinUrlSegments('/@fs/', ROOT) + '/root/.env')) + fetch( + joinUrlSegments(base, joinUrlSegments('/@fs/', ROOT) + '/root/src/.env'), + ) .then((r) => { text('.unsafe-dotenv', r.status) }) .catch((e) => { console.error(e) }) + // .env, for case insensitive file systems + fetch( + joinUrlSegments(base, joinUrlSegments('/@fs/', ROOT) + '/root/src/.EnV'), + ) + .then((r) => { + text('.unsafe-dotEnV-casing', r.status) + }) + .catch((e) => { + console.error(e) + }) + function text(sel, text) { document.querySelector(sel).textContent = text }
playground/fs-serve/__tests__/base/fs-serve-base.spec.ts+7 −1 modified@@ -92,7 +92,13 @@ describe.runIf(isServe)('main', () => { }) test('denied', async () => { - expect(await page.textContent('.unsafe-dotenv')).toBe('404') + expect(await page.textContent('.unsafe-dotenv')).toBe('403') + }) + + test('denied EnV casing', async () => { + // It is 403 in case insensitive system, 404 in others + const code = await page.textContent('.unsafe-dotEnV-casing') + expect(code === '403' || code === '404').toBeTruthy() }) })
playground/fs-serve/__tests__/fs-serve.spec.ts+7 −1 modified@@ -92,7 +92,13 @@ describe.runIf(isServe)('main', () => { }) test('denied', async () => { - expect(await page.textContent('.unsafe-dotenv')).toBe('404') + expect(await page.textContent('.unsafe-dotenv')).toBe('403') + }) + + test('denied EnV casing', async () => { + // It is 403 in case insensitive system, 404 in others + const code = await page.textContent('.unsafe-dotEnV-casing') + expect(code === '403' || code === '404').toBeTruthy() }) })
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-c24v-8rfc-w8vwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-34092ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-23331ghsaADVISORY
- github.com/vitejs/vite/commit/0cd769c279724cf27934b1270fbdd45d68217691ghsaWEB
- github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5ghsax_refsource_MISCWEB
- github.com/vitejs/vite/commit/a26c87d20f9af306b5ce3ff1648be7fa5146c278ghsaWEB
- github.com/vitejs/vite/commit/eeec23bbc9d476c54a3a6d36e78455867185a7cbghsaWEB
- github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vwghsax_refsource_CONFIRMWEB
- vitejs.dev/config/server-options.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.