CVE-2023-34092 Information

Jun 03, 2023 cve

Description

Vite provides frontend tooling. Prior to versions 2.9.16 3.2.7 4.0.5 4.1.5 4.2.3 and 4.3.9 Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default fs.deny settings (['.env' '.env.' '.crtpem']). Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected and only files in the immediate Vite project root folder could be exposed. This issue is fixed in vite@4.3.9 vite@4.2.3 vite@4.1.5 vite@4.0.5 vite@3.2.7 and vite@2.9.16.

Reference

https://github.com/vitejs/vite/pull/13348 https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32 https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67

Share on: