Summary
The issue involves a security vulnerability in Vite, where the server options can be bypassed using a double forward slash (//
). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files. This document outlines the steps to address and mitigate this issue. Adding Extra References : ## Steps to Fix. Update Vite:Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n\n2. Secure the Server Configuration:In your vite.config.js
file, review and update the server configuration options to restrict access to unauthorized requests or directories. For example:```javascript\n // vite.config.js\n export default { server: {\n fs: {\n deny: ['private-directory'] // Restrict access to specific directories
Impact
Only users explicitly exposing the Vite dev server to the network (using --host
or server.host
config option) are affected, and only files in the immediate Vite project root folder could be exposed.
Patches
Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5
And in the latest minors of the previous two majors: vite@3.2.7, vite@2.9.16
Details
Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.
PoC
- Create a new latest project of vite using any package manager. (here I'm using react and vue templates for tested and pnpm)
- Serve the application on dev mode using pnpm run dev.
- Directly access the file from url using double forward-slash (
//
) (e.g: //.env
, //.env.local
)
- Server Options
fs.deny
restrict successfully bypassed.
Proof Images:
References
Summary
The issue involves a security vulnerability in Vite, where the server options can be bypassed using a double forward slash (
//
). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files. This document outlines the steps to address and mitigate this issue. Adding Extra References : ## Steps to Fix. Update Vite:Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n\n2. Secure the Server Configuration:In yourvite.config.js
file, review and update the server configuration options to restrict access to unauthorized requests or directories. For example:```javascript\n // vite.config.js\n export default { server: {\n fs: {\n deny: ['private-directory'] // Restrict access to specific directoriesImpact
Only users explicitly exposing the Vite dev server to the network (using
--host
orserver.host
config option) are affected, and only files in the immediate Vite project root folder could be exposed.Patches
Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5
And in the latest minors of the previous two majors: vite@3.2.7, vite@2.9.16
Details
Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.
PoC
//
) (e.g://.env
,//.env.local
)fs.deny
restrict successfully bypassed.Proof Images:
References