logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-31207 vite

Package

Manager: npm
Name: vite
Vulnerable Version: >=2.7.0 <2.9.18 || >=3.0.0 <3.2.10 || >=4.0.0 <4.5.3 || >=5.0.0 <5.0.13 || >=5.1.0 <5.1.7 || >=5.2.0 <5.2.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00139 pctl0.34668

Details

Vite's `server.fs.deny` did not deny requests for patterns with directories. ### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/**/*`. ### Impact Only apps setting a custom `server.fs.deny` that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Patches Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18 ### Details `server.fs.deny` uses picomatch with the config of `{ matchBase: true }`. [matchBase](https://github.com/micromatch/picomatch/blob/master/README.md#options:~:text=Description-,basename,-boolean) only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set `{ dot: true }` and that causes [dotfiles not to be denied](https://github.com/micromatch/picomatch/blob/master/README.md#options:~:text=error%20is%20thrown.-,dot,-boolean) unless they are explicitly defined. **Reproduction** Set fs.deny to `['**/.git/**']` and then curl for `/.git/config`. * with `matchBase: true`, you can get any file under `.git/` (config, HEAD, etc). * with `matchBase: false`, you cannot get any file under `.git/` (config, HEAD, etc).

Metadata

Created: 2024-04-03T16:46:17Z
Modified: 2024-04-04T20:24:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-8jhw-289h-jh2g/GHSA-8jhw-289h-jh2g.json
CWE IDs: ["CWE-200", "CWE-284"]
Alternative ID: GHSA-8jhw-289h-jh2g
Finding: F308
Auto approve: 1