Summary
The issue involves a security vulnerability in Vite, where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files. This document outlines the steps to address and mitigate this issue. Adding Extra References : ## Steps to Fix. Update Vite:Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n\n2. Secure the Server Configuration:In your vite.config.js file, review and update the server configuration options to restrict access to unauthorized requests or directories. For example:```javascript\n // vite.config.js\n export default { server: {\n fs: {\n deny: ['private-directory'] // Restrict access to specific directories
Impact
Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the immediate Vite project root folder could be exposed.
Patches
Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5
And in the latest minors of the previous two majors: vite@3.2.7, vite@2.9.16
Details
Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.
PoC
- Create a new latest project of vite using any package manager. (here I'm using react and vue templates for tested and pnpm)
- Serve the application on dev mode using pnpm run dev.
- Directly access the file from url using double forward-slash (
//) (e.g: //.env, //.env.local)
- Server Options
fs.deny restrict successfully bypassed.
Proof Images:
References
agussetyar Reporter
thenameisajay Analyst
Summary
The issue involves a security vulnerability in Vite, where the server options can be bypassed using a double forward slash (
//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files. This document outlines the steps to address and mitigate this issue. Adding Extra References : ## Steps to Fix. Update Vite:Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n\n2. Secure the Server Configuration:In yourvite.config.jsfile, review and update the server configuration options to restrict access to unauthorized requests or directories. For example:```javascript\n // vite.config.js\n export default { server: {\n fs: {\n deny: ['private-directory'] // Restrict access to specific directoriesImpact
Only users explicitly exposing the Vite dev server to the network (using
--hostorserver.hostconfig option) are affected, and only files in the immediate Vite project root folder could be exposed.Patches
Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5
And in the latest minors of the previous two majors: vite@3.2.7, vite@2.9.16
Details
Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.
PoC
//) (e.g://.env,//.env.local)fs.denyrestrict successfully bypassed.Proof Images:
References