CVE-2024-23331
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-23331
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23331.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-23331
- Aliases
- Downstream
- Related
- Published
- 2024-01-19T19:43:17Z
- Modified
- 2025-10-15T07:17:17.480376Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
- Details
-
Vite is a frontend tooling framework for javascript. The Vite dev server option
server.fs.denycan be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Sincepicomatchdefaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived fromconfig.server.fs.denyfails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers. - References
Affected packages
Git / github.com/vitejs/vite
Affected ranges
- Type
- GIT
- Repo
- https://github.com/vitejs/vite
- Events
- Type
- GIT
- Repo
- https://github.com/vitejs/vite
- Events
- Type
- GIT
- Repo
- https://github.com/vitejs/vite
- Events
- Type
- GIT
- Repo
- https://github.com/vitejs/vite
- Events